Jump to Content
Security & Identity

Policy Troubleshooter for BeyondCorp Enterprise is now GA!

December 14, 2021
Tanisha Rai

Product Manager, Google Cloud Security

Having the ability to access corporate resources and information remotely and securely has been crucial for countless organizations during the course of the COVID-19 pandemic. Yet, many employees may agree that this process is not always seamless, especially if they were blocked from getting to an app or a resource they should be able to access. Adding to this frustration is the challenge of getting in touch with IT support to figure out what was happening and why, which can be even more difficult in a remote environment.

Our aim with BeyondCorp Enterprise, Google Cloud’s zero trust access solution, is to provide a frictionless experience for users and admins, and today, we are happy to announce that Policy Troubleshooter for BeyondCorp Enterprise is now generally available, providing support for administrators to triage blocked access events and easily unblock users. 

BeyondCorp Enterprise provides users with simple and secure access to applications across clouds and across devices. Administrators are able to configure and apply granular rules to manage access to sensitive corporate resources. While these policies define how trust is established and maintained as part of the zero trust model, sometimes the layering of rules can make it difficult for end-users to understand why access to an application or resource may fail.

Administrators can enable this feature to generate a troubleshooting URL per Identity-Aware Proxy (IAP) resource in real-time for denied events. End-users who find themselves blocked will see a "Troubleshooter URL”  which can be copied and sent to the administrator via email, who can quickly use the information to diagnose the error and identify why access requests fail.

Troubleshooting information presented to BeyondCorp Enterprise users when access is denied

Policy Troubleshooter gives admins essential visibility of access events across their environment. Once arriving on the BeyondCorp Enterprise Troubleshooter analysis page, the administrator can see different views. The Summary View shows an aggregate view of all the relevant policy and membership findings.

Administrators presented with a Summary View of the troubleshooting findings

In addition, the Identity and Access Management (IAM) policy view shows a list of effective IAM bindings evaluation results, granted or not, together with a high-level view on where the failures occurred. Admins can also see a table displaying the user’s and device context.

Administrators can also toggle to the IAM Policy View to see Binding Details
Administrators can investigate further in the Binding details to identify where the failures occurred

With this information, admins can give end-users more detailed information about why access failed, including things like group membership status, time or location constraints, or device rules such as attempting access from a disallowed device. Policy Troubleshooter also enables admins to update policies to allow access if warranted.

Detailed troubleshooting of access levels and conditions

Admins can also use Policy Troubleshooter to test hypothetical events and scenarios, gaining insight and visibility into the potential impact of new security policies. By proactively troubleshooting hypothetical requests, they can verify that users have the right permissions to access resources and prevent future access interruptions and interactions with IT support staff.

Administrators can navigate to the Policy Troubleshooter for BeyondCorp Enterprise landing page to proactively troubleshoot hypothetical requests

Policy Troubleshooter for BeyondCorp Enterprise is a valuable tool for organizations that need to apply multiple rules to multiple resources for different groups of users. Regardless of whether the workforce is remote, providing the ability for admins to triage access failure events and unblock users in a timely way is absolutely critical for an organization’s productivity. 

If you are interested in learning more, please reference our documentation to get started. This new feature will also be showcased during Google Cloud Security Talks on December 15. To see a demo, register for this free event and join us live or on-demand to learn about all of the work Google is doing to support customers’ implementations of zero trust!
Posted in