Skip to main content

Auditing access changes with the Alerts table

How to review, scope, and export detected access changes for a compliance audit, and how to turn findings into tracked follow-up work

The Alerts table is the single place in Access change monitoring to see every detected access change: who changed access, what exactly changed, and how significant it is. This article covers how to use it as an audit surface — scoping the data to the question you're answering, exporting it as evidence, and turning anything that needs action into a tracked Story.

It assumes Access change monitoring has already been configured and that at least one policy is active and generating alerts.

For the day-to-day triage workflow, see Using the Access change monitoring tool.

Prerequisites

  • Enterprise plan with Access change monitoring add-on enabled

  • Connected and synced Salesforce Org for the monitoring target

  • At least one active policy so that changes are being detected and recorded

The Alerts table overview

Every detected change appears as a row, with the key context on one line:

  • Detected at — the timestamp of when the change actually happened, shown in your local time zone

  • Performed by — who made the change

  • Controller name — the profile, permission set, or permission set group the change came through

  • Users — how many users were affected

  • Operation — whether access was Gained or Lost

  • Access — what specifically happened (assigned, unassigned, create/read/edit, enabled, etc.)

  • Category — Assignment, Object, System Permission, or Field

  • Entity — the specific thing access applies to (e.g. ModifyAllData, ViewAllData, or an object such as Account)

  • Severity — based on the policy that fired

  • Policy — the name of the policy that fired

Filter and sort: scope your audit

The whole table is filterable and sortable by every column. Before doing anything else, narrow the data down to exactly what your audit needs to answer. A few common examples:

  • All Critical severity changes over a given period

  • Every change on the System Administrator profile (filter Controller name)

  • All Gained operations on an object holding sensitive data (filter Operation and Entity)

  • Everything Performed by a specific user during an investigation window

Filtering and sorting also set up the export in the next step — the file reflects what you've narrowed the table down to.

Export to CSV for audit evidence

Export returns the filtered dataset, not the whole table — what you see is what you get. This makes each export suitable as an audit artifact for a specific question or time window, rather than a full data dump you then have to trim.

The Users column in the table shows only a count. To get the actual list of affected users and their accounts, export to CSV: the file includes the full user list for each alert.

From alerts to action: create a story

When an audit surfaces a change that needs to be acted on, you act on it by creating a Story from the Alerts table. Rows are selectable, and from a selection you can:

  • Add the alerts to an existing Story

  • Create one new Story from the whole selection

  • Create a Story per alert

Typical reasons to create a Story from an audit:

  • Revert a change: the change is unauthorized, unintended, or breaks the org's access policy, and the Story tracks the work of undoing it in Salesforce.

  • Investigate a change: you can't yet tell whether the change is legitimate, so the Story assigns someone to look into it before a decision is made.

What gets linked is metadata, not the alert. Creating a Story links the related metadata: the permission controller and the entity the change applies to rather than the alert itself.

Did this answer your question?