Given that Copado is a managed package that is installed in a production org, all users that will be working with Copado must have a Salesforce license that, at least, grants them access to managed package objects (AppExchange App) and the Push Topics object (a Salesforce object).
The minimum Salesforce license required for any Copado user is the Platform license.
- Metadata deployments: the org credentials of the source and destination orgs must correspond to a user that has the Modify All Data permission, otherwise metadata deployments will fail due to a lack of permissions.
- Data deployments: the org credentials of the source and destination orgs must correspond to a user that has the API Enabled permission and has access to the objects whose records are being deployed, otherwise data deployments will fail due to a lack of permissions.
Strict Access to Production
Copado users don't have to be System Administrators in production or have access to production data. You can remove access to restricted objects and fields, just like with any other user, by using SFDC profiles or permission sets.
If your release management or development team has no access to production at all, you can also install Copado in a tooling org (which is an empty production org). In this tooling org you can integrate all your Salesforce orgs via an OAuth authentication with the org credentials and, as usual, perform deployments between your different orgs.
Click here for more information about Salesforce licenses and/or contact your Salesforce representative for further assistance regarding Salesforce licenses.