This page describes how to simulate a change to a principal access boundary (PAB) policy or binding using Policy Simulator. It also explains how to interpret the results of the simulation, and how to apply the simulated principal access boundary policy or binding if you choose to.
This feature only evaluates access based on principal access boundary policies.
To learn how to simulate changes to other policy types, see the following:
- Test deny policy changes with Policy Simulator
- Test organization policy changes with Policy Simulator
- Test role changes with Policy Simulator
Before you begin
-
Enable the Cloud Asset Inventory, Identity and Access Management, Policy Analyzer, and Policy Simulator APIs.
- Optional: Learn how Policy Simulator for principal access boundary policies works.
Required roles
To get the permissions that you need to test changes to principal access boundary policies and bindings, ask your administrator to grant you the following IAM roles on the organization:
-
IAM Operation Viewer (
roles/iam.operationViewer) -
IAM Workforce Pool Admin (
roles/iam.workforcePoolAdmin) -
IAM Workload Identity Pool Admin (
roles/iam.workloadIdentityPoolAdmin) -
Organization Administrator (
roles/resourcemanager.organizationAdmin) -
Principal Access Boundary Policy Admin (
roles/iam.principalAccessBoundaryAdmin) -
Workspace Pool IAM Admin (
roles/iam.workspacePoolAdmin)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Start a simulation
The following sections describe the ways that you can start a simulation for a change to a principal access boundary policy or binding.
Simulate a new binding for a principal access boundary policy
Follow the steps to create a policy binding, but don't click Add after entering the binding details. Instead, click Test changes.
Simulate an edit to an existing principal access boundary policy
Follow the steps to edit a principal access boundary policy, but don't click Save after editing the policy. Instead, click Test changes.
Simulate an edit to an existing binding for a principal access boundary policy
Follow the steps to edit a policy binding, but don't click Save after editing the binding. Instead, click Test changes.
Simulate deleting principal access boundary rules
In the Google Cloud console, go to the Principal Access Boundary policies page.
Select the organization that owns the principal access boundary policy whose rules you want to delete.
Click the policy ID of the principal access boundary policy whose rule you want to delete.
In the Boundary rules table, select the rules that you want to delete, then click Test delete rules.
Simulate deleting a principal access boundary policy
In the Google Cloud console, go to the Principal Access Boundary policies page.
Select the organization that owns the principal access boundary policy whose binding you want to delete.
Find the ID of the policy that you want to delete. In that policy's row, click Actions, then click Test delete policy.
Simulate deleting a binding for a principal access boundary policy
In the Google Cloud console, go to the Principal Access Boundary policies page.
Select the organization that owns the principal access boundary policy whose binding you want to delete.
Click the policy ID of the principal access boundary policy whose bindings you want to delete.
Click the Bindings tab.
Find the ID of the binding that you want to delete. In that binding's row, click Actions, then click Test delete binding.
Understand simulation results
The results page for a principal access boundary policy or binding simulation contains the following information:
An Access revoked section, which contains the following information:
- The number of principals that would lose access if you applied the simulated principal access boundary policy or binding
- The number of known resources that principals would lose access to if you applied the simulated principal access boundary policy or binding
An Access gained section, which contains the following information:
- The number of principals that would gain access if you applied the simulated principal access boundary policy or binding
- The number of known resources that principals would gain access to if you applied the simulated principal access boundary policy or binding
A table of the access changes, which shows the impact of the simulated policy or binding. To learn how to interpret these access changes, see Policy Simulator results.
Take action based on a simulation
After reviewing a simulation report, you can take the following actions:
Export the simulation results: To export the results of a simulation as a CSV file, click Export raw results.
When you click this button, a CSV file with the simulation reports is downloaded to your computer.
Apply the simulated policy change: The button that you click to apply a simulated policy change depends on the type of change you're simulating.
- Simulating an edited principal access boundary policy or rule, or a deleted rule: click Set policy.
- Simulating a new or edited binding for a principal access boundary policy: click Set binding.
- Simulating a deleted principal access boundary policy: click Delete policy.
- Simulating a deleted binding for a principal access boundary policy: click delete binding.
When you click this button, the Google Cloud console sets the simulated policy or binding.
Edit the simulated change to the policy or binding: To make further changes to the simulated policy or policy binding, click Back or Back to editing.
When you click this button, the Google Cloud console redirects you to the policy or policy binding editor.