Test deny policy changes with Policy Simulator

Preview

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

This page describes how to simulate a change to an IAMdenypolicy using Policy Simulator. It also explains how tointerpret the results of the simulation, and how to apply the simulated denypolicy if you choose to.

This feature only evaluates access based on deny policies.

To learn how to simulate other types of policies, see the following:

Before you begin

Required roles

To get the permissions that you need to test changes to deny policies, ask your administrator to grant you theDeny Admin (roles/iam.denyAdmin) IAM role on the organization. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Simulate a change to a deny policy

Simulating a deny policy involves the following steps:

  1. Starting the simulation
  2. Waiting for the simulation to finish
  3. Viewing the simulation report
  4. Taking action based on the simulation

Start a simulation

You can start a simulation in the following ways:

  • Simulate a new deny policy:

    1. In the Google Cloud console, go to theDeny tab on theIAM page.

    Go to IAM

    1. Select a project, folder, or organization.
    2. Follow the steps tocreate a deny policy, but don'tclickCreate after entering the deny policy details. Instead, clickTest policy.

  • Simulate an edit to a deny policy:

    1. In the Google Cloud console, go to theDeny tab on theIAM page.

      Go to IAM

    2. Select a project, folder, or organization.

    3. In thePolicy ID column, click the ID of the policy that you want toedit.

    4. ClickEdit.

    5. Update the deny policy:

      • To change the policy display name, edit theDisplay name field.
      • To edit an existing deny rule, click the deny rule, and then modify therule's principals, exception principals, denied permissions, exceptionpermissions, or denial condition.
      • To remove a deny rule, find the deny rule that you want to delete, andthen clickDelete in thatrow.
      • To add a deny rule, clickAdd deny rule, and then create a deny rulelike you do when youcreate a deny policy.

    6. When you're done updating the deny policy, clickTest changes.

When you clickTest policy orTest changes, Policy Simulatorstarts the simulation and redirects you to theDeny simulation reports page.You can navigate away from this page without losing progress.

Wait for a simulation to complete

After you start a simulation, the Google Cloud console generates a notificationthat the simulation is running.

After the simulation finishes, the Google Cloud console generates anothernotification that the simulation is complete. When you receive this notification,you canview the simulation report.

Each user can have up to 10 in-progress simulations.

View a simulation report

  1. In the Google Cloud console, go to theDeny simulation reports page.

    Go to Deny simulation reports

  2. Find the simulation whose report you want to view, then clickView report inthat row.

The simulation report contains the following:

  • An overview of the simulation details, including the simulated policy, thesimulated action, and the simulation time.
  • AView policy orView policy changes button, which, when clicked,displays the simulated policy in JSON format. If you're simulating the policychange, then it might also display the difference between the current policyand the simulated policy.
  • AReplay results section, which displays the results of the simulation. Tolearn how to interpret these results, seePolicy Simulatorresults.

Take action based on a simulation

After reviewing a simulation report, you can take the following actions:

  • Export the simulation results: To export the results of a simulation as aCSV file, clickExport results.

    When you click this button, a CSV file with the simulation reports isdownloaded to your computer.

  • Apply the simulated policy change: To apply the simulated policy or policychange, clickSet policy.

    When you click this button, the Google Cloud console sets the simulatedpolicy.

  • Edit the simulated change to the policy: To make further changes to thesimulated policy or policy change, clickModify policy.

    When you click this button, the Google Cloud console redirects you to thedeny policy editor.

Alternatively, you can clickCancel to leave the simulation report withouttaking any action.

View simulation history

TheDeny simulation reports page contains a table listing all of the simulationsthat you've run over the past 14 days. This list is unique to each user andcan't be shared.

To view theDeny simulation reports page, do the following:

  1. In the Google Cloud console, go to theDeny tab on theIAM page.

    Go to IAM

  2. Select the project, folder, or organization that you want to view simulationsfor.

  3. ClickSimulation history.

For each simulation, the page lists the policy that the simulation is for, thedate that you started the simulation, and the status of the simulation.

Simulations can have the following statuses:

  • In progress: The simulation is running, but hasn't completed yet. You canhave up to 10 in-progress simulations.
  • Completed: The simulation is complete.
  • Error: The simulation couldn't be completed due to an error.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.