Policy Intelligence tools

Large organizations often have complicated Identity and Access Management (IAM) policies. Policy Intelligence tools help you understand and manage your policies to proactively improve your security configuration.

The following sections explain what you can do with Policy Intelligence tools.

Enforce least privilege

The IAM recommender helps you enforce the principle of least privilege by ensuring that members have only the permissions that they actually need.

Specifically, the IAM recommender compares role grants with the permissions that each member used during the past 90 days. If you grant a role to a member, and the member does not use all of that role's permissions, then the IAM recommender is likely to recommend that you revoke the role. If necessary, the IAM recommender also recommends less permissive roles as a replacement. This suggested replacement could be a new custom role, an existing custom role, or one or more predefined roles. Except in the case of recommendations for Google-managed service accounts, the IAM recommender never suggests a change that increases a member's level of access.

To learn more about the IAM recommender, see Enforce least privilege with recommendations.

Simulate policy changes

Policy Simulator lets you see how an IAM policy change might impact a member's access before you commit to making the change. You can use Policy Simulator ensure that the changes you're making won't cause a member to lose access that they need.

To find out how an IAM policy change might impact a member's access, Policy Simulator determines which access attempts from the last 90 days have different results under the proposed policy and the current policy. Then, it reports these results as a list of access changes.

To learn more about Policy Simulator, see Understanding Policy Simulator.

Understand your IAM policies

There are several Policy Intelligence tools that help you understand what access your IAM policies grant.

Analyze access

Cloud Asset Inventory provides the Policy Analyzer, which helps you find out what members have access to which Google Cloud resources.

Typical questions the Policy Analyzer can help you answer are "Who can access this IAM service account?" and "Who can read data in this BigQuery dataset that contains personally identifiable information (PII)?"

The Policy Analyzer allows you to perform access administration, provides access visibility, and can also be used for audit and compliance-related tasks.

To learn how to use Policy Analyzer, see Analyzing IAM policies.

Troubleshoot access

Policy Troubleshooter makes it easier to understand why a user has access to a resource or doesn't have permission to call an API. Given an email, resource, and permission, Policy Troubleshooter examines all IAM policies that apply to the resource. It then reveals whether the member's roles include the permission on that resource and, if so, which policies bind the member to those roles.

To learn how to use Policy Troubleshooter, see Troubleshooting access.

Comparison of Policy Analyzer and Policy Troubleshooter

Both Policy Analyzer and Policy Troubleshooter help you answer questions about your IAM policies. However, the types of questions they help you answer are different.

Policy Analyzer helps you answer "who," "what," and "which" questions, like the following:

  • "Who has any access to this IAM service account?"
  • "What roles and permissions does this user have on this BigQuery dataset?"
  • "Which BigQuery datasets does this user have permission to read?"

In contrast, Policy Troubleshooter helps you answer "why" questions, like the following:

  • "Why does this user have the bigquery.datasets.create permission on this BigQuery dataset?"
  • "Why isn't this user able to view the IAM policy of this BigQuery dataset?"

What's next