This document lists the quotas and limits that apply to Policy Intelligence.
A quota restricts how much of a shared Google Cloud resource your Google Cloud project can use, including hardware, software, and network components. Therefore, quotas are a part of a system that does the following:
- Monitors your use or consumption of Google Cloud products and services.
- Restricts your consumption of those resources, for reasons that include ensuring fairness and reducing spikes in usage.
- Maintains configurations that automatically enforce prescribed restrictions.
- Provides a means to request or make changes to the quota.
In most cases, when a quota is exceeded, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quotas apply to each Google Cloud project and are shared across all applications and IP addresses that use that Google Cloud project.
To increase or decrease most quotas, use the Google Cloud console. For more information, see Request a higher quota.
There are also limits on Policy Intelligence resources. These limits are unrelated to the quota system. Limits cannot be changed unless otherwise stated.
Policy Analyzer quotas
Cloud Asset Inventory enforces the rate of incoming requests based on the consumer project. Default quotas are listed below:
| Quota | Value |
|---|---|
AnalyzeIamPolicy |
100 per minute per consumer project 1,000 per day per consumer project |
AnalyzeIamPolicyLongrunning |
100 per minute per consumer project 1,000 per day per consumer project |
You can use the APIs and services quotas dashboard to view current quotas and usage for your project.
Policy Analyzer also limits the number of queries that you can make if you don't have an organization-level activation of Security Command Center Premium. However, queries to Policy Analyzer for IAM allow policies won't count towards the quota until April 29, 2024.
| Quota | Value |
|---|---|
| Analysis queries per organization per day1 | 20 |
1 This quota only applies for organizations that don't have an organization-level activation of Security Command Center Premium.
For more details, see Billing questions.
Policy Analyzer limits
The Policy Analyzer limits group expansion within the group memberships and resource expansion within the resource hierarchy to the following values.
| Limit | Value |
|---|---|
AnalyzeIamPolicy |
1,000 per group |
AnalyzeIamPolicy |
1,000 per resource |
AnalyzeIamPolicyLongrunning |
100,000 per resource |
Recommendations limits
The following limits apply to IAM recommendations:
| Limit | Value |
|---|---|
| Number of recommendations per day to add a custom role to an organization | 15 |
| Number of recommendations per day to add a custom role to a project | 5 |
| Number of custom roles in an organization that prevents recommendations to create new custom roles1 | 100 |
| Number of custom roles in a project that prevents recommendations to create new custom roles2 | 25 |
1 If your organization contains more than 100 custom roles, you will continue to receive role recommendations from Recommender. However, none of the recommendations will suggest that you create a new custom role.
2 If your project contains more than 25 custom roles, you will continue to receive role recommendations from Recommender. However, none of the recommendations for that project will suggest that you create a new custom role.