To help you understand and remedy access issues, Policy Intelligence offers the following troubleshooters:
- Policy Troubleshooter for Identity and Access Management (IAM)
- VPC Service Controls troubleshooter
- Policy Troubleshooter for BeyondCorp Enterprise
Policy Troubleshooter for IAMPolicy Troubleshooter for IAM helps you understand why a user has access to a resource or doesn't have permission to call an API. Given an email address, resource, and permission, Policy Troubleshooter examines all allow and deny policies that apply to the resource. Then, it uses those policies to tell you whether the principal has the permission. It also lists the role bindings and deny rules in the policies and explains how they affect the principal's access.
To learn how to use Policy Troubleshooter to troubleshoot IAM allow and deny policies, see Troubleshooting access.
VPC Service Controls troubleshooter
The VPC Service Controls troubleshooter helps you troubleshoot access issues caused by improperly configured VPC Service Controls service perimeters. Given a unique denial ID, the VPC Service Controls troubleshooter investigates the denial and reports why a service perimeter denied a request.
To learn how to use the VPC Service Controls troubleshooter, see Diagnosing issues by using the VPC Service Controls troubleshooter.
Policy Troubleshooter for BeyondCorp Enterprise
The Policy Troubleshooter for BeyondCorp Enterprise helps organizations using BeyondCorp Enterprise understand why an end user is denied access. Policy Troubleshooter evaluates both your policies and the end user's context—for example, their location or device details—to determine why access was denied.
The BeyondCorp Enterprise Policy Troubleshooter is a premium feature and requires a BeyondCorp Enterprise license.
To learn how to use Policy Troubleshooter to troubleshoot BeyondCorp Enterprise, see Troubleshooting by using the Policy Troubleshooter for BeyondCorp Enterprise.