Stay organized with collections Save and categorize content based on your preferences.
In IAM, access changes, such as granting a role or denying a permission, are eventually consistent. This means that it takes time for access changes to propagate through the system. In the meantime, recent access changes might not be effective everywhere. For example, principals might still be able to use a recently revoked role or a recently denied permission. Alternatively, they might not be able to use a recently granted role or a permission they were, until recently, denied from using.
The amount of time it takes for an access change to propagate depends on how you make the access change:
Method
Examples
Propagation time
Change a policy
Change a principal's access by editing an allow or deny policy.
You edit your organization's allow policy to grant a principal the Organization Administrator role (roles/resourcemanager.organizationAdmin).
You edit an organization-level deny policy to deny a principal the cloudresourcemanager.googleapis.com/projects.setIamPolicy permission.
Typically 2 minutes, potentially 7 minutes or longer
Change a group's membership
Change a principal's access by adding or removing them from a Google group that's included in an allow or deny policy.
You have a group, org-admins@example.com, that is granted the Organization Administrator role on your organization. You add a principal to the group to give them the Organization Administrator role.
You have a group, eng@example.com, that is denied the cloudresourcemanager.googleapis.com/projects.setIamPolicy permission at the organization level. You add a principal to the group to deny them the cloudresourcemanager.googleapis.com/projects.setIamPolicy permission.
Typically several minutes, potentially hours or longer
Change a nested group's membership
Change a principal's access by adding or removing them from a nested group whose parent group is included in an allow or deny policy.
You have a group, admins@example.com, that is granted the Tag Viewer role (roles/resourcemanager.tagViewer) on your organization. This group's membership is made up of a number of other groups, including org-admins@example.com. You add a principal to the org-admins@example.com group to give them the Tag Viewer role.
You have a group, eng@example.com, that is denied the cloudresourcemanager.googleapis.com/projects.setIamPolicy permission at the organization level. This group's membership is made up of a number of other groups, including eng-prod@example.com. You add a principal to the eng-prod@example.com group to deny them the cloudresourcemanager.googleapis.com/projects.setIamPolicy permission.
Typically several minutes, potentially hours or longer
Also keep in mind the following details for how group membership changes propagate:
In general, adding a principal to a group propagates faster than removing a principal from a group.
In general, group membership changes propagate faster than nested group membership changes.
You can use these propagation time estimates to inform the way you modify your principals' access.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[[["IAM access changes, such as granting or denying permissions, are eventually consistent, meaning they don't take effect immediately across the entire system."],["The time it takes for access changes to propagate varies depending on the method used, with policy changes typically taking around 2 minutes, potentially longer, and group membership changes taking several minutes to potentially hours."],["Changing a principal's access through group membership changes typically propagates faster than changes made via nested group memberships."],["Adding a principal to a group generally results in faster propagation of access changes than removing a principal from a group."]]],[]]
