--- title: "How to analyse IAM policy results" description: "Find out how to use generated logs to identify missing rights in IAM policies" url: https://docs.ovhcloud.com/en/guides/manage-and-operate/iam/troubleshooting lang: en lastUpdated: 2023-11-17 --- # How to analyse IAM policy results ## Objective The purpose of this guide is to present the different methods available for identifying missing actions in IAM policies. ## Requirements - You have an [OVHcloud customer account](/en/guides/account-and-service-management/account-information/ovhcloud-account-creation.md). - You know how to configure [access policies via the OVHcloud Control Panel](/en/guides/account-and-service-management/account-information/iam-policy-ui.md) or [access policies via API](/en/guides/account-and-service-management/account-information/iam-policies-api.md). - You know how [send IAM policy logs to Logs Data Platform](/en/guides/manage-and-operate/iam/logs-forwarding.md). ## Instructions ### In HTTP responses During API calls, you can get the name of the missing action in the HTTP request response: via the `unauthorizedActionsByIAM` field. In the following example, the missing action is "_vps:apiovh:reboot_" ```json { "class": "Client::Forbidden", "message": "User not granted for this request", "details": { "unauthorizedActionsByAuthentication": "", "unauthorizedActionsByIAM": "vps:apiovh:reboot" } } ``` From the OVHcloud Control Panel, based entirely on our API, it is also possible to access this information through the web browser development tools. This is done by analysing the errors of type 403. To do this, go to the `Network ` tab, and select the query that returns a status **403** , then go to the `Response ` tab. ![Browser development tool](/images/manage-and-operate/iam/iam-troubleshooting/browser_dev_tool.png) ### In Logs Data Platform (LDP) If [transmission of OVHcloud account logs to LDP](/en/guides/manage-and-operate/iam/logs-forwarding.md) is enabled, you can find the information in the access policy logs. In the Graylog interface, search for the login of the user concerned and logs containing `unauthorized_actions_array` with the `identities_array:*My_user* AND unauthorized_actions_array:*` request. ![Graylog research](/images/manage-and-operate/iam/iam-troubleshooting/graylog_research.png) The logs filtered in this way show the actions refused by the OVHcloud IAM for the user. ![Log example](/images/manage-and-operate/iam/iam-troubleshooting/IAM_log.png) Here for example, the user _Ines_ tried to perform the action _vps:apiovh:reboot_ without success. You can also filter the search on `authorized_actions_array` to list the actions authorised by the OVHcloud IAM. ## Go further Join our [community of users](https://community.ovhcloud.com/).