Quotas and limits

This document lists the quotas and limits that apply to Policy Intelligence.

A quota restricts how much of a particular shared Google Cloud resource your Cloud project can use, including hardware, software, and network components.

Quotas are part of a system that does the following:

  • Monitors your use or consumption of Google Cloud products and services.
  • Restricts your consumption of those resources for reasons including ensuring fairness and reducing spikes in usage.
  • Maintains configurations that automatically enforce prescribed restrictions.
  • Provides a means to make or request changes to the quota.

When a quota is exceeded, in most cases, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quotas apply to each Cloud project and are shared across all applications and IP addresses that use that Cloud project.

To increase or decrease most quotas, use the Google Cloud console. For more information, see Requesting a higher quota.

There are also limits on Policy Intelligence resources. These limits are unrelated to the quota system. Limits cannot be changed unless otherwise stated.

Policy Analyzer quotas

Cloud Asset Inventory enforces the rate of incoming requests based on the consumer project. Default quotas are listed below:

Quota Value
AnalyzeIamPolicy

100 per minute per consumer project

1,000 per day per consumer project

AnalyzeIamPolicyLongrunning

100 per minute per consumer project

1,000 per day per consumer project

You can use the APIs and services quotas dashboard to view current quotas and usage for your project.

Policy Analyzer limits

The Policy Analyzer limits group expansion within the group memberships and resource expansion within the resource hierarchy to the following values.

Limit Value
AnalyzeIamPolicy 1,000 per group
AnalyzeIamPolicy 1,000 per resource
AnalyzeIamPolicyLongrunning 100,000 per resource

Recommendations limits

The following limits apply to IAM recommendations:

Limit Value
Number of recommendations per day to add a custom role to an organization 15
Number of recommendations per day to add a custom role to a project 5
Number of custom roles in an organization that prevents recommendations to create new custom roles1 100
Number of custom roles in a project that prevents recommendations to create new custom roles2 25

1 If your organization contains more than 100 custom roles, you will continue to receive role recommendations from Recommender. However, none of the recommendations will suggest that you create a new custom role.

2 If your project contains more than 25 custom roles, you will continue to receive role recommendations from Recommender. However, none of the recommendations for that project will suggest that you create a new custom role.