Remediate denied access with the Policy Remediator
Stay organized with collections
Save and categorize content based on your preferences.
This page shows you how to enable and use the Policy Remediator.
When users attempt to access a Google Cloud resource but aren't compliant with
the access policy for the resource, they are denied access and receive a general
403 error message. You can use the Policy Remediator to provide users with
actionable steps that they can take to remediate their issue before reaching out
to an administrator for additional help. The specific remediation actions depend on the
access policies, but can include things such as enabling screen lock, updating
the operating system (OS) version, or accessing an app from a network allowed by
your company.
Enable Policy Remediator
Grant your organization administrator the
roles/policyremediatormanager.policyRemediatorAdmin role at the
organization level by running the following commands in the Google Cloud CLI:
gcloud organizations add-iam-policy-binding 'organizations/ORGANIZATION_ID' \
--member PRINCIPAL \
--role roles/policyremediatormanager.policyRemediatorAdmin
Replace the following:
ORGANIZATION_ID: the Google Cloud organization ID.
PRINCIPAL: the identifier for the principal, or member, which
usually has the following form: PRINCIPAL_TYPE:ID. For example,
user:my-user@example.com.
Enable the Policy Remediator Manager API by running the following command:
Go to Account > Admin roles, and then click Create new role.
Enter a name and a description (optional) for the role, and then click
Continue.
In Admin console privileges, go to Services > Mobile and Device Management
and select the Manages Devices and Settings permission.
In Admin API privileges, go to Groups, and then select the Read
permission.
Click Continue, confirm your entries, and complete creating the role.
Go to Assign Service Accounts and enter the email address of the newly
created service agent.
Click Add > Assign Role.
In the Google Cloud CLI, run the following commands to grant the Service Agent
(policyremediator.serviceAgent) role to the service agent at the
organization level. This gives the service agent permission to read the
Identity and Access Management and other access policies for your organization.
Replace ORGANIZATION_ID with the Google Cloud organization ID.
Enable Policy Remediator for an IAP resource
Go to the Identity-Aware Proxy (IAP) page.
Go to IAP
Select a resource, and then click Settings.
Go to Remediate access, and then select Generate remediation actions.
Grant the remediator role
To give users permission to remediate denied access to IAP resources,
run the following command in the Google Cloud CLI:
gcloud iap web add-iam-policy-binding \
--member='PRINCIPAL' \
--role='roles/iap.remediatorUser'
Replace PRINCIPAL with an identifier for the principal, or member,
which usually has the following form: PRINCIPAL_TYPE:ID. For example,
user:my-user@example.com.
To give users permission to remediate access to IAP resources at a project level,
run the following command in the Google Cloud CLI:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member PRINCIPAL \
--role roles/iap.remediatorUser
Replace the following:
PROJECT_ID: the Google Cloud project ID.
PRINCIPAL: the identifier for the principal, or member, which
usually has the following form: PRINCIPAL_TYPE:ID. For example,
user:my-user@example.com.
Remediate with the Help Desk
When end users are denied access, they are redirected to a Chrome Enterprise Premium page
that contains troubleshooting information, including a troubleshooting URL and a
remediation token. If users don't have permission to open the remediation token,
they can copy the remediation token and send it to the Help Desk for additional
help.
Policy attributes and associated messages
The following table provides the list of attributes that are supported by the Policy Remediator.
Attribute
Default message
ip_address
You`re accessing the app from a network
not allowed by your company.
region_code
Access this app from a region
allowed by your company.
is_secured_with_screenlock
Set a screen password on your device.
Turn off the screen password on your device.
verified_chrome_os
Use a device with verified [OS type].
Use a device without verified [OS type].
is_admin_approved_device
Use a device approved by your organization administrator.
Use a device not approved by your organization administrator.
is_corp_owned_device
Use a device owned by your organization.
Use a device not owned by your organization.
encryption_status
Use an encrypted device.
Use an unencrypted device.
os_type
Switch to a [OS type] device.
[OS type] devices cannot access this app.
os_version
Update to an OS version that is at least [version].
Downgrade your OS to a version less than [version].
Troubleshooting
The Policy Remediator cannot generate remediations when any of the following occur:
A resource has conflicting policies, such as a user must connect using Windows and macOS.
The attribute is not supported by the Policy Remediator.
The service agent does not have permission to remediate.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Remediate denied access with the Policy Remediator\n\n| **Preview\n| --- Policy Remediator**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page shows you how to enable and use the Policy Remediator.\n\nWhen users attempt to access a Google Cloud resource but aren't compliant with\nthe access policy for the resource, they are denied access and receive a general\n403 error message. You can use the Policy Remediator to provide users with\nactionable steps that they can take to remediate their issue before reaching out\nto an administrator for additional help. The specific remediation actions depend on the\naccess policies, but can include things such as enabling screen lock, updating\nthe operating system (OS) version, or accessing an app from a network allowed by\nyour company.\n\nEnable Policy Remediator\n------------------------\n\n1. Grant your organization administrator the\n `roles/policyremediatormanager.policyRemediatorAdmin` role at the\n organization level by running the following commands in the Google Cloud CLI:\n\n ```\n gcloud organizations add-iam-policy-binding 'organizations/ORGANIZATION_ID' \\\n --member PRINCIPAL \\\n --role roles/policyremediatormanager.policyRemediatorAdmin\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: the Google Cloud organization ID.\n - \u003cvar translate=\"no\"\u003ePRINCIPAL\u003c/var\u003e: the identifier for the principal, or member, which usually has the following form: `PRINCIPAL_TYPE:ID`. For example, `user:my-user@example.com`.\n2. Enable the Policy Remediator Manager API by running the following command:\n\n ```\n gcloud services enable policyremediatormanager.googleapis.com\n ```\n3. Call the Policy Remediator Manager to enable Policy Remediator for the\n projects in an organization, this creates a [service agent](/iam/docs/service-agents).\n\n ```\n curl -X POST \\\n \"https://policyremediatormanager.googleapis.com/v1alpha/organizations/ORGANIZATION_ID/locations/global/remediatorService:enable\" \\\n --header 'Authorization: Bearer ACCESS_TOKEN' \\\n --header 'X-Goog-User-Project:PROJECT_ID'\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: the Google Cloud organization ID.\n - \u003cvar translate=\"no\"\u003eACCESS_TOKEN\u003c/var\u003e: use the following command to generate the access token. \n\n ```\n gcloud auth print-access-token\n ```\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the Google Cloud project ID.\n\n Following is an example response, which contains the service agent details: \n\n ```\n {\n \"name\": \"organizations/ORGANIZATION_ID/locations/global/operations/\",\n \"metadata\": {\n \"@type\":\n \"type.googleapis.com/google.cloud.policyremediatormanager.remediatorservicemanager.v1alph\n a.OperationMetadata\",\n \"createTime\": \"\",\n \"target\": \"organizations/\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e/locations/global/remediatorService\",\n \"verb\": \"update\",\n \"requestedCancellation\": false,\n \"apiVersion\": \"v1alpha\"\n },\n \"done\": false\n }\n ```\n\n Where \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e is the Google Cloud organization ID.\n4. In the Google Cloud CLI, run the following command to access the service agent that you created:\n\n ```\n curl -X GET \\\n \"https://policyremediatormanager.googleapis.com/v1alpha/organizations/ORGANIZATION_ID/locations/global/remediatorService\" \\\n --header 'Authorization: Bearer ACCESS_TOKEN' \\\n --header 'X-Goog-User-Project:PROJECT_ID'\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: the Google Cloud organization ID.\n - \u003cvar translate=\"no\"\u003eACCESS_TOKEN\u003c/var\u003e: use the following command to generate the access token. \n\n ```\n gcloud auth print-access-token\n ```\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the Google Cloud project ID.\n\n You should receive the service agent email in the following format: \n\n ```\n {\n \"name\": \"organizations/ORGANIZATION_ID/locations/global/remediatorService\",\n \"state\": \"ENABLED\",\n \"serviceAccountEmail\": \"service-org-ORGANIZATION_ID@gcp-sa-v1-remediator.iam.gserviceaccount.com\"\n }\n ```\n\n Where \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e is the Google Cloud organization ID.\n\nAssign the service agent role in the Google Admin console\n---------------------------------------------------------\n\n1. Sign in to the Google Admin console.\n\n [Go to the Google Admin console](https://admin.google.com/ac/devices/list)\n2. Go to **Account \\\u003e Admin roles** , and then click **Create new role**.\n\n - Enter a name and a description (optional) for the role, and then click\n **Continue**.\n\n - In **Admin console privileges** , go to **Services \\\u003e Mobile and Device Management**\n and select the **Manages Devices and Settings** permission.\n\n - In **Admin API privileges** , go to **Groups** , and then select the **Read**\n permission.\n\n - Click **Continue**, confirm your entries, and complete creating the role.\n\n - Go to **Assign Service Accounts** and enter the email address of the newly\n created [service agent](#service-acct-email).\n\n - Click **Add \\\u003e Assign Role**.\n\n3. In the Google Cloud CLI, run the following commands to grant the Service Agent\n (`policyremediator.serviceAgent`) role to the service agent at the\n organization level. This gives the service agent permission to read the\n Identity and Access Management and other access policies for your organization.\n\n ```\n gcloud organizations add-iam-policy-binding 'organizations/' \\\n --member='serviceAccount:service-org-\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e@gcp-sa-v1-remediator.iam.gserviceaccount.com' \\\n --role='roles/policyremediator.serviceAgent'\n ```\n\n Replace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with the Google Cloud organization ID.\n\nEnable Policy Remediator for an IAP resource\n--------------------------------------------\n\n1. Go to the Identity-Aware Proxy (IAP) page.\n\n\n [Go to IAP](https://console.cloud.google.com/security/iap)\n\n2. Select a resource, and then click **Settings**.\n\n3. Go to **Remediate access** , and then select **Generate remediation actions**.\n\nGrant the remediator role\n-------------------------\n\nTo give users permission to remediate denied access to IAP resources,\nrun the following command in the Google Cloud CLI: \n\n```\ngcloud iap web add-iam-policy-binding \\\n --member='PRINCIPAL' \\\n --role='roles/iap.remediatorUser'\n```\n\nReplace \u003cvar translate=\"no\"\u003ePRINCIPAL\u003c/var\u003e with an identifier for the principal, or member,\nwhich usually has the following form: `PRINCIPAL_TYPE:ID`. For example,\n`user:my-user@example.com`.\n\nFor additional information, see [gcloud IAP web add-iam-policy-binding](/sdk/gcloud/reference/iap/web/add-iam-policy-binding).\n\nTo give users permission to remediate access to IAP resources at a project level,\nrun the following command in the Google Cloud CLI: \n\n```\ngcloud projects add-iam-policy-binding PROJECT_ID \\\n --member PRINCIPAL \\\n --role roles/iap.remediatorUser\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the Google Cloud project ID.\n- \u003cvar translate=\"no\"\u003ePRINCIPAL\u003c/var\u003e: the identifier for the principal, or member, which usually has the following form: `PRINCIPAL_TYPE:ID`. For example, `user:my-user@example.com`.\n\nRemediate with the Help Desk\n----------------------------\n\nWhen end users are denied access, they are redirected to a Chrome Enterprise Premium page\nthat contains troubleshooting information, including a troubleshooting URL and a\nremediation token. If users don't have permission to open the remediation token,\nthey can copy the remediation token and send it to the Help Desk for additional\nhelp.\n\nPolicy attributes and associated messages\n-----------------------------------------\n\nThe following table provides the list of attributes that are supported by the Policy Remediator.\n\nTroubleshooting\n---------------\n\nThe Policy Remediator cannot generate remediations when any of the following occur:\n\n- A resource has conflicting policies, such as a user must connect using Windows and macOS.\n- The attribute is not supported by the Policy Remediator.\n- The service agent does not have permission to remediate."]]
