Analyze allow policies

This page shows how to use Policy Analyzer for allow policies to find out which principals have what access to which Google Cloud resources.

Principals can include the following:

• Users, groups, or domains
• Service accounts
• Agent identities
• Workload identities
• Workforce identities

The examples on this page show how to run a Policy Analysis query and immediately view the results. If you want to export the results for further analysis, you can use AnalyzeIamPolicyLongrunning to write query results to BigQuery or Cloud Storage .

Before you begin

• Enable the Cloud Asset API.

  Roles required to enable APIs

  To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

  Enable the API

  You must enable the API in the project you will use to send the query. This doesn't have to be the same resource that you scope your query to.

• Optional: Understand how Policy Analyzer works .

• Optional: If you want to execute more than 20 policy analysis queries per organization per day, ensure that you have an organization-level activation of the Premium or Enterprise tier of Security Command Center . For more information, see Billing questions .

Required roles and permissions

The following roles and permissions are required to analyze allow policies.

Required IAM roles

To get the permissions that you need to analyze an allow policy, ask your administrator to grant you the following IAM roles on the project, folder, or organization that you will scope your query to:

• Cloud Asset Viewer ( roles/cloudasset.viewer )
• To analyze policies with custom IAM roles : Role Viewer ( roles/iam.roleViewer )
• To use the Google Cloud CLI to analyze policies: Service Usage Consumer ( roles/serviceusage.serviceUsageConsumer )

For more information about granting roles, see Manage access to projects, folders, and organizations .

These predefined roles contain the permissions required to analyze an allow policy. To see the exact permissions that are required, expand the Required permissionssection:

You might also be able to get these permissions with custom roles or other predefined roles .

Required Google Workspace permissions

If you want to expand groups in query results to see if a principal has certain roles or permissions as a result of their membership in a Google Workspace group, you need the groups.read Google Workspace permission. This permission is contained in the Groups Reader Admin role, and in more powerful roles such as the Groups Admin or Super Admin roles. To learn how to grant these roles, see Assign specific admin roles .

Determine which principals can access a resource

You can use Policy Analyzer to check which principals have certain roles or permissions on a specific resource in your project, folder, or organization. To get this information, create a query that includes the resource that you want to analyze access for and one or more roles or permissions to check for.

Note:Policy Analyzer only supports IAM allow policies . Results do not account for other access control mechanisms, like IAM deny policies. For more information, see Supported policy types .

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 \ 
  
--full-resource-name = 
 FULL_RESOURCE_NAME 
  
 \ 
  
--permissions = 
 ' PERMISSIONS 
' 

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 ` 
  
--full-resource-name = 
 FULL_RESOURCE_NAME 
  
 ` 
  
--permissions = 
 ' PERMISSIONS 
' 

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
^  
--full-resource-name = 
 FULL_RESOURCE_NAME 
  
^  
--permissions = 
 ' PERMISSIONS 
' 

...
---
ACLs:
- accesses:
  - permission: compute.instances.get
  - permission: compute.instances.start identities:
  - name: user:my-user@example.comresources:
  - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-project
policy:
  attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project
  binding:
    members:
    - user: my-user@example.com
    role: roles/compute.admin
---
...

POST https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy

{
  "analysisQuery": {
    "resourceSelector": {
      "fullResourceName": " FULL_RESOURCE_NAME 
"
    },
    "accessSelector": {
      "permissions": [
        " PERMISSION_1 
",
        " PERMISSION_2 
",
        " PERMISSION_N 
"
      ]
    }
  }
}

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "X-HTTP-Method-Override: GET" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy" | Select-Object -Expand Content

...
{
  "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project",
  "iamBinding": {
    "role": "roles/compute.admin",
    "members": [
      "user:my-user@example.com"
    ]
  },
  "accessControlLists": [
    {
      "resources": [
        {
          "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project"
        }
      ],
      "accesses": [
        {
          "permission": "compute.instances.get"
        },
        {
          "permission": "compute.instances.start"
        }
      ]
    }
  ],
  "identityList": { "identities": [
      {
        "name": "user:my-user@example.com"
      }
    ]},
  "fullyExplored": true
},
...

Determine which principals have certain roles or permissions

You can use Policy Analyzer to check which principals have specific roles or permissions on any Google Cloud resource in your organization. To get this information, create a query that includes one or more roles or permissions to check for, but does not specify a resource.

Note:Policy Analyzer only supports IAM allow policies . Results do not account for other access control mechanisms, like IAM deny policies. For more information, see Supported policy types .

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 \ 
  
--roles = 
 ' ROLES 
' 
  
 \ 
  
--permissions = 
 ' PERMISSIONS 
' 

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 ` 
  
--roles = 
 ' ROLES 
' 
  
 ` 
  
--permissions = 
 ' PERMISSIONS 
' 

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
^  
--roles = 
 ' ROLES 
' 
  
^  
--permissions = 
 ' PERMISSIONS 
' 

...
---
ACLs:
- accesses:
  - permission: compute.instances.get
  - permission: compute.instances.start
  - role: roles/compute.admin identities:
  - name: user:my-user@example.comresources:
  - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-project
policy:
  attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project
  binding:
    members:
    - user: my-user@example.com
    role: roles/compute.admin
---
...

POST https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy

{
  "analysisQuery": {
    "accessSelector": {
      "roles": [
        " ROLE_1 
",
        " ROLE_2 
",
        " ROLE_N 
"
      ],
      "permissions": [
        " PERMISSION_1 
",
        " PERMISSION_2 
",
        " PERMISSION_N 
"
      ]
    }
  }
}

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "X-HTTP-Method-Override: GET" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy" | Select-Object -Expand Content

...
{
  "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project",
  "iamBinding": {
    "role": "roles/compute.admin",
    "members": [
      "user:my-user@example.com"
    ]
  },
  "accessControlLists": [
    {
      "resources": [
        {
          "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project"
        }
      ],
      "accesses": [
        {
          "permission": "compute.instances.get"
        },
        {
          "role": "roles/compute.admin"
        }
      ]
    }
  ],
  "identityList": { "identities": [
      {
        "name": "user:my-user@example.com"
      }
    ]},
  "fullyExplored": true
},
...

Determine what access a principal has on a resource

You can use Policy Analyzer to check what roles or permissions a principal has on a resource in your organization. To get this information, create a query that includes the principal whose access you want to analyze and the resource that you want to analyze access for.

Note:Policy Analyzer only supports IAM allow policies . Results do not account for other access control mechanisms, like IAM deny policies. For more information, see Supported policy types .

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 \ 
  
--full-resource-name = 
 FULL_RESOURCE_NAME 
  
 \ 
  
--identity = 
 PRINCIPAL 

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 ` 
  
--full-resource-name = 
 FULL_RESOURCE_NAME 
  
 ` 
  
--identity = 
 PRINCIPAL 

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
^  
--full-resource-name = 
 FULL_RESOURCE_NAME 
  
^  
--identity = 
 PRINCIPAL 

...
---
ACLs: - accesses:
  - roles/iam.serviceAccountUseridentities:
  - name: user:my-user@example.com
  resources:
  - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-project
policy:
  attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project
  binding:
    members:
    - user: my-user@example.com
    role: roles/iam.serviceAccountUser
---
...

POST https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy

{
  "analysisQuery": {
    "resourceSelector": {
      "fullResourceName": " FULL_RESOURCE_NAME 
"
    },
    "identitySelector": {
      "identity": " PRINCIPAL 
"
    }
  }
}

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "X-HTTP-Method-Override: GET" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy" | Select-Object -Expand Content

...
{
  "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project",
  "iamBinding": {
    "role": "roles/iam.serviceAccountUser",
    "members": [
      "user:my-user@example.com"
    ]
  },
  "accessControlLists": [
    {
      "resources": [
        {
          "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project"
        }
      ], "accesses": [
        {
          "roles": "iam.serviceAccountUser"
        }
      ]}
  ],
  "identityList": {
    "identities": [
      {
        "name": "user:my-user@example.com"
      }
    ]
  },
  "fullyExplored": true
},
...

Determine which resources a principal can access

You can use Policy Analyzer to check which resources within your organization a principal has a certain roles or permissions on. To get this information, create a query that includes the principal whose access you want to analyze and one or more permissions or roles that you want to check for.

Note:Policy Analyzer only supports IAM allow policies . Results do not account for other access control mechanisms, like IAM deny policies. For more information, see Supported policy types .

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 \ 
  
--identity = 
 PRINCIPAL 
  
 \ 
  
--permissions = 
 ' PERMISSIONS 
' 

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 ` 
  
--identity = 
 PRINCIPAL 
  
 ` 
  
--permissions = 
 ' PERMISSIONS 
' 

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
^  
--identity = 
 PRINCIPAL 
  
^  
--permissions = 
 ' PERMISSIONS 
' 

...
---
ACLs:
- accesses:
  - permission: compute.instances.get
  - permission: compute.instances.start
  identities:
  - name: user:my-user@example.com resources:
  - fullResourceName: //compute.googleapis.com/projects/my-project/global/images/my-imagepolicy:
  attachedResource: //compute.googleapis.com/projects/my-project/global/images/my-image
  binding:
    members:
    - user: my-user@example.com
    role: roles/compute.admin
---
...

POST https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy

{
  "analysisQuery": {
    "identitySelector": {
      "identity": " PRINCIPAL 
"
    },
    "accessSelector": {
      "permissions": [
        " PERMISSION_1 
",
        " PERMISSION_2 
",
        " PERMISSION_N 
"
      ]
    }
  }
}

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "X-HTTP-Method-Override: GET" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy" | Select-Object -Expand Content

...
{
  "attachedResourceFullName": "//compute.googleapis.com/projects/my-project/global/images/my-image",
  "iamBinding": {
    "role": "roles/compute.admin",
    "members": [
      "user:my-user@example.com"
    ]
  },
  "accessControlLists": [
    { "resources": [
        {
          "fullResourceName": "//compute.googleapis.com/projects/my-project/global/images/my-image"
        }
      ],"accesses": [
        {
          "permission": "compute.instances.get"
        },
        {
          "permission": "compute.instances.start"
        }
      ]
    }
  ],
  "identityList": {
    "identities": [
      {
        "name": "user:my-user@example.com"
      }
    ]
  },
  "fullyExplored": true
},
...

Determine access at a specific time

If given enough context, Policy Analyzer can analyze IAM conditional role bindings that only grant access at specific times. These conditions are called date/time conditions . For Policy Analyzer to accurately analyze role bindings with date/time conditions, you need to define the access time in the request.

Policy Analyzer can also analyze resource conditions with no additional user input. For more information about how Policy Analyzer works with conditions, see Conditional access .

Note:Policy Analyzer only supports IAM allow policies . Results do not account for other access control mechanisms, like IAM deny policies. For more information, see Supported policy types .

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 \ 
  
--identity = 
 PRINCIPAL 
  
 \ 
  
--full-resource-name = 
 FULL_RESOURCE_NAME 
  
 \ 
  
--permissions = 
 ' PERMISSIONS 
' 
  
 \ 
  
--access-time = 
 ACCESS_TIME 

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 ` 
  
--identity = 
 PRINCIPAL 
  
 ` 
  
--full-resource-name = 
 FULL_RESOURCE_NAME 
  
 ` 
  
--permissions = 
 ' PERMISSIONS 
' 
  
 ` 
  
--access-time = 
 ACCESS_TIME 

gcloud  
asset  
analyze-iam-policy  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
^  
--identity = 
 PRINCIPAL 
  
^  
--full-resource-name = 
 FULL_RESOURCE_NAME 
  
^  
--permissions = 
 ' PERMISSIONS 
' 
  
^  
--access-time = 
 ACCESS_TIME 

...
---
ACLs:
- accesses:
  - permission: compute.instances.get
  - permission: compute.instances.start
  conditionEvaluationValue: 'TRUE'
  identities:
  - name: user:my-user@example.com
  resources:
  - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-project
policy:
  attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project
  binding:
    condition:
      expression: request.time.getHours("America/Los_Angeles") >= 5
      title: No access before 5am PST
    members:
    - user: my-user@example.com
    role: roles/compute.admin
---
...

POST https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy

{
  "analysisQuery": {
    "identitySelector": {
      "identity": " PRINCIPAL 
"
    },
    "resourceSelector": {
      "fullResourceName": " FULL_RESOURCE_NAME 
"
    },
    "accessSelector": {
      "permissions": [
        " PERMISSION_1 
",
        " PERMISSION_2 
",
        " PERMISSION_N 
"
      ]
    },
    "conditionContext": {
      "accessTime": " ACCESS_TIME 
"
    }
  }
}

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "X-HTTP-Method-Override: GET" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://cloudasset.googleapis.com/v1/ RESOURCE_TYPE 
/ RESOURCE_ID 
:analyzeIamPolicy" | Select-Object -Expand Content

...
{
  "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project",
  "iamBinding": {
    "role": "roles/compute.admin",
    "members": [
      "user:my-user@example.com"
    ],
    "condition": {
      "expression": "request.time.getHours(\"America/Los_Angeles\") \u003e= 5",
      "title": "No access before 5am PST"
    }
  },
  "accessControlLists": [
    {
      "resources": [
        {
          "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project"
        }
      ],
      "accesses": [
        {
          "permission": "compute.instances.get"
        },
        {
          "permission": "compute.instances.start"
        }
      ],
      "conditionEvaluation": {
        "evaluationValue": "TRUE"
      }
    }
  ],
  "identityList": {
    "identities": [
      {
        "name": "user:my-user@example.com"
      }
    ]
  },
  "fullyExplored": true
},
...

Enable options

You can enable the following options to receive more detailed query results.

 { 
  
 "analysisQuery" 
 : 
  
 { 
  
 "resourceSelector" 
 : 
  
 { 
  
 "fullResourceName" 
 : 
  
 "//cloudresourcemanager.googleapis.com/projects/my-project" 
  
 }, 
  
 "accessSelector" 
 : 
  
 { 
  
 "permissions" 
 : 
  
 [ 
  
 "iam.roles.get" 
 , 
  
 "iam.roles.list" 
  
 ] 
  
 }, 
  
  "options" 
 : 
  
 { 
  
  OPTIONS 
 
  
 } 
  
 } 
 } 

Visualize results

Preview — visualizing Policy Analyzer for allow policies query results

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms . Pre-GA features are available "as is" and might have limited support. For more information, see the launch stage descriptions .

You can use Policy Analyzer to visualize an allow policy query. This can help you understand the relationship between identities, roles, permissions, and resources within your resource hierarchy. You can also use these visualizations to assess what permissions are unused or excessive for your principals.

Policy Analyzer visualizes relationships based on the roles that grant permissions. Queries scoped to a specific permission show allow policy bindings for the role that provides that permission.

Queries scoped to a folder or organization resource show allow policy bindings at the specified scope if no resource is specified in the query. To see allow policy bindings on resources within projects when the query is scoped to an organization or folder, specify a resource in the query and select Show bindings within the scope.

Queries scoped to a project resource show allow policy bindings on project resources and resources within projects by default. To only see allow policy bindings on project resources, clear Show bindings within the scope.

The number next to a project resource indicates how many resources within that project can be accessed using the granted role. Click Expandon a project resource with a number to see the resources that can be accessed using the granted role within that project, aggregated by service. For example, BigQuery tables and datasets are collected under BigQuery.

Direct principal bindings are displayed first. Nested bindings from group memberships are loaded afterwards. If access is granted through a nested group, the link to the specific group with the binding is displayed if you have the required permissions . To see more group memberships, click Load more.

The following example demonstrates visualizing a query to determine which principals can access a resource , but other query types can be visualized using the same process.

Note:Policy Analyzer only supports IAM allow policies . Results do not account for other access control mechanisms, like IAM deny policies. For more information, see Supported policy types .

1. In the Google Cloud console, go to the Policy analyzerpage.

   Go to the Policy analyzer page

2. In the Analyze policiessection, find the pane labeled Custom queryand click Create custom queryin that pane.

3. In the Select query scopefield, select the project, folder, or organization that you want to scope the query to. Policy Analyzer will analyze access for that project, folder, or organization, as well as any resources within that project, folder, or organization.

4. Choose the principal to check and the role or permission to check for:

   1. In the Parameter 1field, select Principalfrom the drop-down menu.
   2. In the Principalfield, start to enter the name of a principal, service account, or group. Then, select the principal, service account, or group whose access that you want to analyze from the list of principals provided.
   3. Click add Add selector.
   4. In the Parameter 2field, select either Roleor Permission.
   5. In the Select a roleor Select a permissionfield, select the role or permission that you want to check for.
   6. Optional: To check for additional roles and permissions, continue adding Roleand Permissionselectors until all the roles and permissions that you want to check for are listed. You can select up to a combination of 10 roles and permissions.

5. In the Custom querypane, click Analyze  > Run query. The report page shows the query parameters you entered, and a results table of all the resources that the specified principal has the specified roles or permissions on.

   Policy analysis queries in the Google Cloud console can take one minute to run. After one minute, the Google Cloud console stops the query and displays all available results. If the query didn't finish in that time, the Google Cloud console displays a banner indicating that the results are incomplete. To get more results for these queries, export the results to BigQuery .

6. On the report page, click Visualize Results.

   

   The visualization is organized from left to right in up to four columns. The lines in the visualization connect principals to groups, principals or groups to role, and role to resource.

   1. On the left are principals returned by the query.
   2. If the principal has a role because that role was granted to a group, a line labeled "member of" connects that principal to the group. If the principal was directly granted the role, this column doesn't appear.
   3. A line labeled "has" connects each principal or group to a role.
   4. A line labeled "with access to" connects each role to the resource that it's granted on.
   5. The number of resources that are affected by the granted role is represented as a number next to the resource.
   6. If there is an existing role recommendation or policy insight , the role is circled and has a lightbulb lightbulb icon. You can click the role to get more information about the recommendation, and use the link to review and apply it.

7. To adjust the query, click Toggle panel "Visualize results".

   

   1. In the Scopefield, click Browseto change the project, folder, or organization that you want to scope the query to.
   2. In the Principalfield, start typing the name of a principal, service account, or group. Then, select the principal, service account, or group whose access you want to analyze from the list of principals provided.
   3. To change the role for your query, in the Select a roleor Permissionfield, select the role or permission that you want to check for.
   4. To change the resource for your query, in the Resourcefield, enter the full resource name of the resource that you want to analyze access for. If you don't know the full resource name, start typing the display name of the resource, then select the resource from the list of resources provided.
   5. Click Searchto update the visualization.

Limitations

Policy Analyzer has the following limitations when you analyze access for specific types of principals:

• Agent principals:When you search for what roles and resources an agent identity can access, the search results are limited to direct bindings to agent identities and the following principal sets:

  • All agent identities in a trust domain, using the format principalSet://<var>TRUST_DOMAIN</var>/* . For example, principalSet://agents.global.org-123456789012.system.id.goog/* .

  • All agent identities with the platformContainer attribute, using the format principalSet://<var>TRUST_DOMAIN</var>/attribute.platformContainer/aiplatform/projects/<var>PROJECT_NUMBER</var> . For example, principalSet://agents.global.org-123456789012.system.id.goog/attribute.platformContainer/aiplatform/projects/9876543210 .

  • All agent identities with the platform attribute, using the format principalSet://<var>TRUST_DOMAIN</var>/attribute.platform/aiplatform . For example, principalSet://agents.global.org-123456789012.system.id.goog/attribute.platform/aiplatform .

  • All agent identities with the container attribute, using the format principalSet://<var>TRUST_DOMAIN</var>/attribute.container/projects/<var>PROJECT_NUMBER</var> . For example, principalSet://agents.global.org-123456789012.system.id.goog/attribute.container/projects/9876543210 .

• Workload identity or workforce principals: When you search for what roles and resources a single identity in a workload or workforce pool can access, the search results are limited to the following principal sets:

  • All identities in the respective workload identity pool, using the format principalSet://iam.googleapis.com/projects/<var>PROJECT_NUMBER</var>/locations/global/workloadIdentityPools/<var>POOL_ID</var>/* . For example, principalSet://iam.googleapis.com/projects/9876543210/locations/global/workloadIdentityPools/altostrat-contractors/*

  • All identities in the respective workforce pool, using the format principalSet://iam.googleapis.com/locations/global/workforcePools/<var>POOL_ID</var>/* . For example, principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/* .

Policy Analyzer visualizations have the following limitations:

• When creating a query, selections made in advanced options might not be reflected in the visualization.

• If the query results in a visualization that is too large or complex to render effectively, a warning message is displayed. To resolve this issue, refine your query parameters to narrow the set of results displayed.

• Up to 1,000 groups can be displayed in a visualization.

What's next

• Learn how to use AnalyzeIamPolicyLongrunning to write to BigQuery or write to Cloud Storage .
• See how you can use the REST API to save Policy Analysis queries .
• Explore the available access troubleshooting tools , which you can use to figure out why a principal doesn't have a certain type of access.