Test principal access boundary policy changes with Policy Simulator

Preview

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

This page describes how to simulate a change to aprincipal access boundary (PAB)policy orbinding using Policy Simulator. Italso explains how to interpret the results of the simulation, and how to applythe simulated principal access boundary policy or binding if you choose to.

This feature only evaluates access based on principal access boundary policies.

To learn how to simulate changes to other policy types, see the following:

Before you begin

Required roles

To get the permissions that you need to test changes to principal access boundary policies and bindings, ask your administrator to grant you the following IAM roles on the organization:

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Start a simulation

The following sections describe the ways that you can start a simulation for achange to a principal access boundary policy or binding.

Simulate a new binding for a principal access boundary policy

Follow the steps tocreate a policy binding, but don'tclickAdd after entering the binding details. Instead, clickTestchanges.

Simulate an edit to an existing principal access boundary policy

Follow the steps toedit a principal access boundary policy, butdon't clickSave after editing the policy. Instead, clickTest changes.

Simulate an edit to an existing binding for a principal access boundary policy

Follow the steps toedit a policy binding, but don'tclickSave after editing the binding. Instead, clickTest changes.

Simulate deleting principal access boundary rules

  1. In the Google Cloud console, go to thePrincipal Access Boundarypolicies page.

    Go to Principal Access Boundarypolicies

  2. Select the organization that owns the principal access boundary policy whose rulesyou want to delete.

  3. Click the policy ID of the principal access boundary policy whose rule you want todelete.

  4. In theBoundary rules table, select the rules that you want todelete, then clickTestdelete rules.

Simulate deleting a principal access boundary policy

  1. In the Google Cloud console, go to thePrincipal Access Boundarypolicies page.

    Go to Principal Access Boundarypolicies

  2. Select the organization that owns the principal access boundary policy whose bindingyou want to delete.

  3. Find the ID of the policy that you want to delete. In that policy's row,clickActions, thenclickTest delete policy.

Simulate deleting a binding for a principal access boundary policy

  1. In the Google Cloud console, go to thePrincipal Access Boundarypolicies page.

    Go to Principal Access Boundarypolicies

  2. Select the organization that owns the principal access boundary policy whose bindingyou want to delete.

  3. Click the policy ID of the principal access boundary policy whose bindings you wantto delete.

  4. Click theBindings tab.

  5. Find the ID of the binding that you want to delete. In that binding's row,clickActions, thenclickTest delete binding.

Understand simulation results

The results page for a principal access boundary policy or binding simulation containsthe following information:

  • AnAccess revoked section, which contains the following information:

    • The number of principals that would lose access if you applied thesimulated principal access boundary policy or binding
    • The number of known resources that principals would lose access to if youapplied the simulated principal access boundary policy or binding

  • AnAccess gained section, which contains the following information:

    • The number of principals that would gain access if you applied thesimulated principal access boundary policy or binding
    • The number of known resources that principals would gain access to if youapplied the simulated principal access boundary policy or binding

  • A table of the access changes, which shows the impact of the simulated policyor binding. To learn how to interpret these access changes, seePolicy Simulator results.

Take action based on a simulation

After reviewing a simulation report, you can take the following actions:

  • Export the simulation results: To export the results of a simulation as aCSV file, clickExport raw results.

    When you click this button, a CSV file with the simulation reports isdownloaded to your computer.

  • Apply the simulated policy change: The button that you click to applya simulated policy change depends on the type of change you're simulating.

    • Simulating an edited principal access boundary policy or rule, or a deletedrule: clickSet policy.
    • Simulating a new or edited binding for a principal access boundary policy:clickSet binding.
    • Simulating a deleted principal access boundary policy: clickDeletepolicy.
    • Simulating a deleted binding for a principal access boundary policy: clickdelete binding.

    When you click this button, the Google Cloud console sets the simulatedpolicy or binding.

  • Edit the simulated change to the policy or binding: To make furtherchanges to the simulated policy or policy binding, clickBack orBack toediting.

    When you click this button, the Google Cloud console redirects you to thepolicy or policy binding editor.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.