To make it easier to use Istio RBAC and per #1947, we can provide a command line utility to allow the operator to query the effect of Istio RBAC.
It's better to integrate such utility to istioctl as a subcommand rbac. The operator could invoke it with a group of attributes to simulate a request and the command should return allow/deny plus some useful information about the reason for the result.

For example:
The command $ istioctl rbac can-i --user test --namespace default --service productpage --path abc/page --method GET could result in istioctl output like "Allowed" or "Denied. No ServiceRoleBinding found for user test".