Security | Investigate User
Investigates a specific user's activity, reports, object access, and permission path to help analyze anomalies and answer investigative questions.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, Unlimited, and Developer Editions with the Security Center add-on and Foundations or Agentforce 1 Editions. |
| User Permissions Needed | |
|---|---|
| To view Security Center pages: | View Security Center |
| To create and edit security policies: | Manage Security Center |
| See Common User Access for Standard Agent Actions. | |
Action Details
| API Name | InvestigateUser |
| Reference Action Type | Standard Action |
| Does this tool run one or more prompt templates? | Yes |
| Required setup | Turn on Security Center and Security Agent with View Security Center or Manage Security Center user permission. |
InvestigateUser and Prompt Templates
The tool runs the Investigate User prompt template. The prompt template acts as a Salesforce investigation specialist.
- Synthesizes user profile data, activity patterns, report usage, access evaluation, and permission lineage into a clear, actionable summary.
- Identifies notable events.
- Evaluates whether access is appropriate.
- Traces permissions granted through profiles, permission sets, and roles.
- Provides the next steps for investigation.
Guidelines and Considerations
InvestigateUser investigates users flagged in anomaly detection.
- Provides a comprehensive user investigation, including profile, activity, and permissions data.
- Evaluates whether user access to objects is appropriate and provides a rationale.
- Traces permission lineage to identify how the system granted access.
- Identifies risky permission grants that require review.
- Includes clear next steps for further investigation or remediation in the output.
Did this article solve your issue?
Let us know so we can improve!
