Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to simulate a change to an IAM deny
policy using Policy Simulator. It also explains how to
interpret the results of the simulation, and how to apply the simulated deny
policy if you choose to.
This feature only evaluates access based on deny policies.
To learn how to simulate other types of policies, see the following:
To get the permissions that
you need to test changes to deny policies,
ask your administrator to grant you the
Deny Admin (roles/iam.denyAdmin)
IAM role on the organization.
For more information about granting roles, see Manage access to projects, folders, and organizations.
In the Policy ID column, click the ID of the policy that you want to
edit.
Click editEdit.
Update the deny policy:
To change the policy display name, edit the Display name field.
To edit an existing deny rule, click the deny rule, and then modify the
rule's principals, exception principals, denied permissions, exception
permissions, or denial condition.
To remove a deny rule, find the deny rule that you want to delete, and
then click deleteDelete in that
row.
To add a deny rule, click Add deny rule, and then create a deny rule
like you do when you create a deny policy.
When you're done updating the deny policy, click Test changes.
When you click Test policy or Test changes, Policy Simulator
starts the simulation and redirects you to the Deny simulation reports page.
You can navigate away from this page without losing progress.
Wait for a simulation to complete
After you start a simulation, the Google Cloud console generates a notification
that the simulation is running.
After the simulation finishes, the Google Cloud console generates another
notification that the simulation is complete. When you receive this notification,
you can view the simulation report.
Each user can have up to 10 in-progress simulations.
View a simulation report
In the Google Cloud console, go to the Deny simulation reports page.
Find the simulation whose report you want to view, then click View report in
that row.
The simulation report contains the following:
An overview of the simulation details, including the simulated policy, the
simulated action, and the simulation time.
A View policy or View policy changes button, which, when clicked,
displays the simulated policy in JSON format. If you're simulating the policy
change, then it might also display the difference between the current policy
and the simulated policy.
A Replay results section, which displays the results of the simulation. To
learn how to interpret these results, see Policy Simulator
results.
Take action based on a simulation
After reviewing a simulation report, you can take the following actions:
Export the simulation results: To export the results of a simulation as a
CSV file, click Export results.
When you click this button, a CSV file with the simulation reports is
downloaded to your computer.
Apply the simulated policy change: To apply the simulated policy or policy
change, click Set policy.
When you click this button, the Google Cloud console sets the simulated
policy.
Edit the simulated change to the policy: To make further changes to the
simulated policy or policy change, click Modify policy.
When you click this button, the Google Cloud console redirects you to the
deny policy editor.
Alternatively, you can click Cancel to leave the simulation report without
taking any action.
View simulation history
The Deny simulation reports page contains a table listing all of the simulations
that you've run over the past 14 days. This list is unique to each user and
can't be shared.
To view the Deny simulation reports page, do the following:
In the Google Cloud console, go to the Deny tab on the IAM page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Test deny policy changes with Policy Simulator\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\n\u003cbr /\u003e\n\nThis page describes how to simulate a change to an IAM [deny\npolicy](/iam/docs/deny-overview) using Policy Simulator. It also explains how to\ninterpret the results of the simulation, and how to apply the simulated deny\npolicy if you choose to.\n\nThis feature only evaluates access based on deny policies.\n\nTo learn how to simulate other types of policies, see the following:\n\n- [Test organization policy changes with\n Policy Simulator](/policy-intelligence/docs/test-organization-policies)\n- [Test principal access boundary policy changes with\n Policy Simulator](/policy-intelligence/docs/simulate-pab-policies)\n- [Test role changes with Policy Simulator](/policy-intelligence/docs/simulate-iam-policies)\n\nBefore you begin\n----------------\n\n-\n\n\n Enable the Policy Simulator and Identity and Access Management APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=policysimulator.googleapis.com,iam.googleapis.com)\n- Optional: Learn [how\n Policy Simulator for deny policies works](/policy-intelligence/docs/deny-simulator-overview).\n\n### Required roles\n\n\nTo get the permissions that\nyou need to test changes to deny policies,\n\nask your administrator to grant you the\n\n\n[Deny Admin](/iam/docs/roles-permissions/iam#iam.denyAdmin) (`roles/iam.denyAdmin`)\nIAM role on the organization.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nSimulate a change to a deny policy\n----------------------------------\n\nSimulating a deny policy involves the following steps:\n\n1. [Starting the simulation](#start-simulation)\n2. [Waiting for the simulation to finish](#wait)\n3. [Viewing the simulation report](#view-report)\n4. [Taking action based on the simulation](#take-action)\n\n### Start a simulation\n\nYou can start a simulation in the following ways:\n\n- Simulate a new deny policy:\n\n 1. In the Google Cloud console, go to the **Deny** tab on the **IAM** page.\n\n [Go\n to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam/deny?supportedpurview=project,folder,organizationId)\n 1. Select a project, folder, or organization.\n 2. Follow the steps to [create a deny policy](/iam/docs/deny-access#create-deny-policy), but don't click **Create** after entering the deny policy details. Instead, click **Test policy**.\n- Simulate an edit to a deny policy:\n\n 1. In the Google Cloud console, go to the **Deny** tab on the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam/deny?supportedpurview=project,folder,organizationId)\n 2. Select a project, folder, or organization.\n\n 3. In the **Policy ID** column, click the ID of the policy that you want to\n edit.\n\n 4. Click edit **Edit**.\n\n 5. Update the deny policy:\n\n - To change the policy display name, edit the **Display name** field.\n - To edit an existing deny rule, click the deny rule, and then modify the rule's principals, exception principals, denied permissions, exception permissions, or denial condition.\n - To remove a deny rule, find the deny rule that you want to delete, and then click delete **Delete** in that row.\n - To add a deny rule, click **Add deny rule** , and then create a deny rule like you do when you [create a deny policy](/iam/docs/deny-access#create-deny-policy).\n 6. When you're done updating the deny policy, click **Test changes**.\n\nWhen you click **Test policy** or **Test changes** , Policy Simulator\nstarts the simulation and redirects you to the **Deny simulation reports** page.\nYou can navigate away from this page without losing progress.\n\n### Wait for a simulation to complete\n\nAfter you start a simulation, the Google Cloud console generates a notification\nthat the simulation is running.\n\nAfter the simulation finishes, the Google Cloud console generates another\nnotification that the simulation is complete. When you receive this notification,\nyou can [view the simulation report](#view-report).\n\nEach user can have up to 10 in-progress simulations.\n\n### View a simulation report\n\n1. In the Google Cloud console, go to the **Deny simulation reports** page.\n\n [Go to Deny simulation reports](https://console.cloud.google.com/iam-admin/iam/deny/simulation-reports/)\n2. Find the simulation whose report you want to view, then click **View report** in\n that row.\n\nThe simulation report contains the following:\n\n- An overview of the simulation details, including the simulated policy, the simulated action, and the simulation time.\n- A **View policy** or **View policy changes** button, which, when clicked, displays the simulated policy in JSON format. If you're simulating the policy change, then it might also display the difference between the current policy and the simulated policy.\n- A **Replay results** section, which displays the results of the simulation. To learn how to interpret these results, see [Policy Simulator\n results](/policy-intelligence/docs/deny-simulator-overview#review-results).\n\nTake action based on a simulation\n---------------------------------\n\nAfter reviewing a simulation report, you can take the following actions:\n\n- **Export the simulation results** : To export the results of a simulation as a\n CSV file, click **Export results**.\n\n When you click this button, a CSV file with the simulation reports is\n downloaded to your computer.\n- **Apply the simulated policy change** : To apply the simulated policy or policy\n change, click **Set policy**.\n\n When you click this button, the Google Cloud console sets the simulated\n policy.\n- **Edit the simulated change to the policy** : To make further changes to the\n simulated policy or policy change, click **Modify policy**.\n\n When you click this button, the Google Cloud console redirects you to the\n deny policy editor.\n\nAlternatively, you can click **Cancel** to leave the simulation report without\ntaking any action.\n\nView simulation history\n-----------------------\n\nThe **Deny simulation reports** page contains a table listing all of the simulations\nthat you've run over the past 14 days. This list is unique to each user and\ncan't be shared.\n\nTo view the **Deny simulation reports** page, do the following:\n\n1. In the Google Cloud console, go to the **Deny** tab on the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam/deny?supportedpurview=project,folder,organizationId)\n2. Select the project, folder, or organization that you want to view simulations\n for.\n\n3. Click schedule **Simulation history**.\n\nFor each simulation, the page lists the policy that the simulation is for, the\ndate that you started the simulation, and the status of the simulation.\n\nSimulations can have the following statuses:\n\n- **In progress**: The simulation is running, but hasn't completed yet. You can have up to 10 in-progress simulations.\n- **Completed**: The simulation is complete.\n- **Error**: The simulation couldn't be completed due to an error.\n\nWhat's next\n-----------\n\n- [Test organization policy changes with\n Policy Simulator](/policy-intelligence/docs/test-organization-policies)\n- [Test role changes with Policy Simulator](/policy-intelligence/docs/simulate-iam-policies)"]]
