This article covers the operational side of Access Change Monitoring once setup is complete: which policies are recommended as a baseline for any production org, how to triage and close an alert, and how to respond when the monitoring job enters a recovery state due to a connection issue.
Aimed at the Change Monitoring manager and the wider team subscribed to alert destinations, this guide assumes Access Change Monitoring has already been configured for the org model.
Prerequisites
Enterprise plan with Access Change Monitoring add-on enabled
Connected and synced Salesforce Org for the monitoring target
Elements Managed Package connected to the target Salesforce Org
Recommended monitoring policies
The following policies are recommended as a baseline for any production org. Configure them through the Create policy wizard from the Policies panel after initial setup is complete.
Critical system permissions assigned
Alert when any permission controller grants View All Data, Modify All Data, or any other system permission classified as dangerous in the Audit users with dangerous permissions report.
Category: System permissions
Operation: Gained
Target items: View All Data, Modify All Data, and any additional system permissions listed in the dangerous permissions report
Severity: Critical
Objects storing sensitive data
Alert when any permission controller gains access to objects storing regulated or commercially sensitive data. Use the Compliance overview dashboard to identify which objects should be in scope for your org.
Category: Object permissions
Operation: Gained
Access: Create, Edit, Delete, Modify All Records
Target items: the objects identified as sensitive in the Compliance overview dashboard
Severity: High
Sensitive fields
Alert when permission controllers gain Read or Edit access to fields containing PII or other regulated content. Use the Compliance overview dashboard to identify the fields in scope.
Category: Field permissions
Operation: Gained
Access: Edit
Target items: the fields identified as sensitive in the Compliance overview dashboard
Severity: High
Critical assignment alert
Alert when any user is assigned to the System Administrator profile.
Category: Assignment membership
Operation: Gained
Controller type: Profile
Target items: System Administrator
Severity: Critical
Severity values are guidance; adjust them to your org's risk model.
Act on notifications
Each alert delivered to Slack, email, or in-app contains the change type, the affected entity and controller, the affected user count, and a link to the alert record in Elements.cloud. The following workflow describes how to triage and close an alert.
Example alert
Critical — System Administrator assignment gained
Click on the "View in Salesforce" button to confirm the change on the permission controller setup page.
Decide on criticality: revert or acknowledge
After reviewing the alert, decide on the next action:
Revert — if the change is unauthorized, unintended, or breaks the org's access policy, revert it in Salesforce (remove the system permission, revoke the object/field access, or unassign the user from the controller).
Acknowledge — if the change is expected and legitimate (e.g., it matches an approved release work item), record it as reviewed.
Troubleshooting / FAQ
Object permissions and Field permissions cannot be set for monitoring
When configuring a policy, the Object permissions and Field permissions categories may appear disabled in the category selector, with an explanation message indicating they are not available for the current org model.
Object-level and field-level access on Profiles is retrieved by this scheduled job, and without it Access Change Monitoring does not have the baseline data required to evaluate Object permissions and Field permissions changes.
This happens when the Profile metadata job in the Q9 managed package is not scheduled in the connected Salesforce org or the system cannot get the profile metadata even if the job is scheduled in the Elements Managed Package.
What to do: Make sure that the Profile Metadata Information job is scheduled in the managed package, the sync was successfully finished after the job was run as well, and try again.
Action required! Access Change Monitoring cannot connect to the Production org
Access Change Monitoring depends on a working Salesforce connection. If the integration token expires, the integration user loses required permissions, or the connected app/API restrictions block access, the monitoring job enters a recovery state and notifications are sent automatically.
The first email is sent immediately after the first action-required error is detected. Recipients include the org owner, all org managers, and all destination users configured on monitoring policies.
What to do: review and fix the Salesforce connection or permission issue as soon as possible. This may require refreshing the token, restoring integration-user access, or resolving connected-app or API restrictions. The Salesforce org connection can be refreshed from the Salesforce Orgs page in the main app.
If the issue is resolved within the 3-hour grace period, monitoring resumes automatically using the configured polling interval, and the next poll covers any changes that occurred while the connection was failing.
Urgent! Access Change Monitoring has been paused
If the issue is not resolved within 3 hours, the monitoring job is automatically paused and a second email is sent.
What to do: fix the Salesforce connection or permission issue, then refresh the integration token from the Salesforce Orgs page in the main app. Once the token is refreshed and the monitoring job is re-enabled, monitoring resumes using the configured polling interval.
Changes that occurred while the job was paused will not be processed retrospectively. Review Setup Audit Trail directly in Salesforce for the paused period if a complete audit trail is required.