Overview
The Cloud Healthcare API uses Identity and Access Management (IAM) for access control.
In the Cloud Healthcare API, access control can be configured at the project, dataset, or data store level. For example, you can grant access to all datasets within a project to a group of developers. To learn how to set up and use IAM with the Cloud Healthcare API, see Controlling access and Controlling access to other products.
For a detailed description of IAM and its features, see the IAM documentation. In particular, see the section on managing IAM policies.
Every Cloud Healthcare API method requires the caller to have the necessary permissions. See Permissions and Roles for more information.
Permissions
The following tables list the IAM permissions that are associated with the
Cloud Healthcare API. Method names are shortened in the table;
each method's full name begins with projects.locations.
.
Annotation store methods
Annotation store method | Required permissions |
---|---|
datasets.annotationStores.create |
healthcare.annotationStores.create on the parent dataset. |
datasets.annotationStores.delete |
healthcare.annotationStores.delete on the requested annotation store. |
datasets.annotationStores.get |
healthcare.annotationStores.get on the requested annotation store. |
datasets.annotationStores.list |
healthcare.annotationStores.list on the parent dataset. |
datasets.annotationStores.patch |
healthcare.annotationStores.update on the requested annotation store. |
datasets.annotationStores.annotations.create |
healthcare.annotations.create on the parent annotation store. |
datasets.annotationStores.annotations.delete |
healthcare.annotations.delete on the requested annotation record. |
datasets.annotationStores.annotations.get |
healthcare.annotations.get on the requested annotation record. |
datasets.annotationStores.annotations.list |
healthcare.annotations.list on the parent annotation store. |
datasets.annotationStores.annotations.patch |
healthcare.annotations.update on the requested annotation record. |
Consent store methods
Consent store method | Required permissions |
---|---|
datasets.consentStores.checkDataAccess |
healthcare.consentStores.checkDataAccess on the requested consent store. |
datasets.consentStores.create |
healthcare.consentStores.create on the parent dataset. |
datasets.consentStores.delete |
healthcare.consentStores.delete on the requested consent store. |
datasets.consentStores.evaluateUserConsents |
healthcare.consentStores.evaluateUserConsents on the requested consent store. |
datasets.consentStores.get |
healthcare.consentStores.get on the requested consent store. |
datasets.consentStores.getIamPolicy |
healthcare.consentStores.getIamPolicy on the requested consent store. |
datasets.consentStores.list |
healthcare.consentStores.list on the parent dataset. |
datasets.consentStores.patch |
healthcare.consentStores.update on the requested consent store. |
datasets.consentStores.queryAccessibleData |
healthcare.consentStores.queryAccessibleData on the requested consent store. |
datasets.consentStores.setIamPolicy |
healthcare.consentStores.setIamPolicy on the requested consent store. |
datasets.consentStores.attributeDefinitions.create |
healthcare.attributeDefinitions.create on the parent consent store. |
datasets.consentStores.attributeDefinitions.delete |
healthcare.attributeDefinitions.delete on the requested attribute definition resource. |
datasets.consentStores.attributeDefinitions.get |
healthcare.attributeDefinitions.get on the requested attribute definition resource. |
datasets.consentStores.attributeDefinitions.list |
healthcare.attributeDefinitions.list on the parent consent store. |
datasets.consentStores.attributeDefinitions.patch |
healthcare.attributeDefinitions.update on the requested attribute definition resource. |
datasets.consentStores.consentArtifacts.create |
healthcare.consentArtifacts.create on the parent consent store. |
datasets.consentStores.consentArtifacts.delete |
healthcare.consentArtifacts.delete on the requested consent artifact resource. |
datasets.consentStores.consentArtifacts.get |
healthcare.consentArtifacts.get on the requested consent artifact resource. |
datasets.consentStores.consentArtifacts.list |
healthcare.consentArtifacts.list on the parent consent store. |
datasets.consentStores.consents.create |
healthcare.consents.create on the parent consent store. |
datasets.consentStores.consents.delete |
healthcare.consents.delete on the requested consent resource. |
datasets.consentStores.consents.get |
healthcare.consents.get on the requested consent resource. |
datasets.consentStores.consents.list |
healthcare.consents.list on the parent consent store. |
datasets.consentStores.consents.patch |
healthcare.consents.update on the requested consent resource. |
datasets.consentStores.consents.revoke |
healthcare.consents.revoke on the requested consent resource. |
datasets.consentStores.userDataMappings.archive |
healthcare.userDataMappings.archive on the requested user data mapping resource. |
datasets.consentStores.userDataMappings.create |
healthcare.userDataMappings.create on the parent consent store. |
datasets.consentStores.userDataMappings.delete |
healthcare.userDataMappings.delete on the requested user data mapping resource. |
datasets.consentStores.userDataMappings.get |
healthcare.userDataMappings.get on the requested user data mapping resource. |
datasets.consentStores.userDataMappings.list |
healthcare.userDataMappings.list on the parent consent store. |
datasets.consentStores.userDataMappings.patch |
healthcare.userDataMappings.update on the requested user data mapping resource. |
Dataset methods
Datasets method | Required permissions |
---|---|
datasets.create |
healthcare.datasets.create on the parent Google Cloud project. |
datasets.deidentify |
|
datasets.delete |
healthcare.datasets.delete on the requested dataset. |
datasets.get |
healthcare.datasets.get on the requested dataset. |
datasets.getIamPolicy |
healthcare.datasets.getIamPolicy on the requested dataset. |
datasets.list |
healthcare.datasets.list on the parent Google Cloud project. |
datasets.patch |
healthcare.datasets.update on the requested dataset. |
datasets.setIAMPolicy |
healthcare.datasets.setIamPolicy on the requested dataset. |
DICOM store methods
DICOM store method | Required permissions |
---|---|
datasets.dicomStores.create |
healthcare.dicomStores.create on the parent dataset. |
datasets.dicomStores.deidentify |
|
datasets.dicomStores.delete |
healthcare.dicomStores.delete on the requested DICOM store. |
datasets.dicomStores.export |
|
datasets.dicomStores.get |
healthcare.dicomStores.get on the requested DICOM store. |
datasets.dicomStores.getIamPolicy |
healthcare.dicomStores.getIamPolicy on the requested DICOM store. |
datasets.dicomStores.import |
|
datasets.dicomStores.list |
healthcare.dicomStores.list on the parent dataset. |
datasets.dicomStores.patch |
healthcare.dicomStores.update on the requested DICOM store. |
datasets.dicomStores.searchForInstances |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.searchForSeries |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.searchForStudies |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.setIamPolicy |
healthcare.dicomStores.setIamPolicy on the requested DICOM store. |
datasets.dicomStores.storeInstances |
healthcare.dicomStores.dicomWebWrite on the requested DICOM store. |
datasets.dicomStores.studies.delete |
healthcare.dicomStores.dicomWebDelete on the requested DICOM store. |
datasets.dicomStores.studies.retrieveMetadata |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.retrieveStudy |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.searchForInstances |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.searchForSeries |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.storeInstances |
healthcare.dicomStores.dicomWebWrite on the requested DICOM store. |
datasets.dicomStores.studies.series.delete |
healthcare.dicomStores.dicomWebDelete on the requested DICOM store. |
datasets.dicomStores.studies.series.retrieveMetadata |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.retrieveSeries |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.searchForInstances |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.instances.delete |
healthcare.dicomStores.dicomWebDelete on the requested DICOM store. |
datasets.dicomStores.studies.series.instances.retrieveInstance |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.instances.retrieveMetadata |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.instances.retrieveRendered |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.instances.frames.retrieveFrames |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.instances.frames.retrieveRendered |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.instances.bulkdata.retrieveBulkdata |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
FHIR store methods
FHIR store method | Required permissions |
---|---|
datasets.fhirStores.applyConsents |
healthcare.fhirStores.applyConsents on the requested FHIR store resource. |
datasets.fhirStores.applyAdminConsents |
healthcare.fhirStores.applyConsents on the requested FHIR store resource. |
datasets.fhirStores.create |
healthcare.fhirStores.create on the parent dataset. |
datasets.fhirStores.deidentify |
|
datasets.fhirStores.delete |
healthcare.fhirStores.delete on the requested FHIR store. |
datasets.fhirStores.explainDataAccess |
healthcare.fhirStores.explainDataAccess on the requested FHIR store resource. |
datasets.fhirStores.export |
|
datasets.fhirStores.get |
healthcare.fhirStores.get on the requested FHIR store. |
datasets.fhirStores.getIamPolicy |
healthcare.fhirStores.getIamPolicy on the requested FHIR store. |
datasets.fhirStores.import |
|
datasets.fhirStores.list |
healthcare.fhirStores.list on the parent dataset. |
datasets.fhirStores.patch |
healthcare.fhirStores.update on the requested FHIR store. |
datasets.fhirStores.configureSearch |
healthcare.fhirStores.configureSearch on the requested FHIR store. |
datasets.fhirStores.setIamPolicy |
healthcare.fhirStores.setIamPolicy on the requested FHIR store. |
datasets.fhirStores.getFHIRStoreMetrics |
healthcare.fhirStores.get on the requested FHIR store. |
datasets.fhirStores.fhir.Encounter-everything |
healthcare.fhirResources.get on each resource returned. |
datasets.fhirStores.fhir.Observation-lastn |
healthcare.fhirStores.searchResources on the parent FHIR store. |
datasets.fhirStores.fhir.Patient-everything |
healthcare.fhirResources.get on each resource returned. |
datasets.fhirStores.fhir.Resource-purge |
healthcare.fhirResources.purge on the requested FHIR store resource. |
datasets.fhirStores.fhir.capabilities |
healthcare.fhirStores.get on the requested FHIR store. |
datasets.fhirStores.fhir.conditionalDelete |
|
datasets.fhirStores.fhir.conditionalPatch |
|
datasets.fhirStores.fhir.conditionalUpdate |
|
datasets.fhirStores.fhir.create |
|
datasets.fhirStores.fhir.delete |
healthcare.fhirResources.delete on the requested FHIR store resource. |
datasets.fhirStores.fhir.executeBundle |
healthcare.fhirResources.executeBundle on the requested FHIR store, and additional permissions (such as healthcare.fhirResources.create and healthcare.fhirResources.update ) corresponding to individual operations within the bundle. If the API caller has healthcare.fhirResources.create permissions but not healthcare.fhirResources.update permissions, the caller can only execute bundles containing healthcare.fhirResources.create operations. |
datasets.fhirStores.fhir.history |
healthcare.fhirResources.get on the requested FHIR store resource and each of its versions. |
datasets.fhirStores.fhir.patch |
healthcare.fhirResources.patch on the requested FHIR store resource. |
datasets.fhirStores.fhir.read |
healthcare.fhirResources.get on the requested FHIR store resource. |
datasets.fhirStores.fhir.search |
healthcare.fhirStores.searchResources on the parent FHIR store. |
datasets.fhirStores.fhir.update |
healthcare.fhirResources.update on the requested FHIR store resource. |
datasets.fhirStores.fhir.vread |
healthcare.fhirResources.get on the requested FHIR store resource version. |
datasets.fhirStores.fhir.Patient-consent-enforcement-status |
healthcare.fhirResources.get on the requested FHIR store patient resource. |
datasets.fhirStores.fhir.Consent-enforcement-status |
healthcare.fhirResources.get on the requested FHIR store consent resource. |
HL7v2 store methods
HL7v2 store method | Required permissions |
---|---|
datasets.hl7V2Stores.create |
healthcare.hl7V2Stores.create on the parent dataset. |
datasets.hl7V2Stores.delete |
healthcare.hl7V2Stores.delete on the requested HL7v2 store. |
datasets.hl7V2Stores.export |
healthcare.hl7V2Stores.export on the requested HL7v2 store. |
datasets.hl7V2Stores.get |
healthcare.hl7V2Stores.get on the requested HL7v2 store. |
datasets.hl7V2Stores.import |
healthcare.hl7V2Stores.import on the requested HL7v2 store. |
datasets.hl7V2Stores.list |
healthcare.hl7V2Stores.list on the parent dataset. |
datasets.hl7V2Stores.patch |
healthcare.hl7V2Stores.update on the requested HL7v2 store. |
datasets.hl7V2Stores.getIamPolicy |
healthcare.hl7V2Stores.getIamPolicy on the requested HL7v2 store. |
datasets.hl7V2Stores.setIamPolicy |
healthcare.hl7V2Stores.setIamPolicy on the requested HL7v2 store. |
datasets.hl7V2Stores.messages.create |
healthcare.hl7V2Messages.create on the parent HL7v2 store. |
datasets.hl7V2Stores.messages.delete |
healthcare.hl7V2Messages.delete on the requested HL7v2 store message. |
datasets.hl7V2Stores.messages.get |
healthcare.hl7V2Messages.get on the requested HL7v2 store message. |
datasets.hl7V2Stores.messages.ingest |
healthcare.hl7V2Messages.ingest on the requested HL7v2 store message. |
datasets.hl7V2Stores.messages.list |
healthcare.hl7V2Messages.list on the parent HL7v2 store. |
datasets.hl7V2Stores.messages.patch |
healthcare.hl7V2Messages.update on the requested HL7v2 store message. |
Location methods
Location method | Required permissions |
---|---|
locations.get |
healthcare.locations.get on the requested location. |
locations.list |
healthcare.locations.list on the parent Google Cloud project. |
Healthcare Natural Language API methods
Healthcare Natural Language API method | Required permissions |
---|---|
nlp.analyzeEntities |
healthcare.nlpservice.analyzeEntities |
Operation methods
Operation method | Required permission |
---|---|
datasets.operations.get |
healthcare.operations.get on the requested dataset. |
datasets.operations.list |
healthcare.operations.list on the requested dataset. |
datasets.operations.cancel |
healthcare.operations.cancel on the requested dataset. |
De-identify methods
De-identify method | Required permission |
---|---|
services.deidentify.deidentifyDicomInstance |
healthcare.deidentify.run |
services.deidentify.deidentifyFhirResource |
healthcare.deidentify.run |
Roles
The following tables list the Cloud Healthcare API IAM
roles, including the permissions associated with each role. The roles roles/owner
, roles/editor
, and roles/viewer
include
permissions for other Google Cloud services. For more information
about roles, see Understanding roles.
Annotations roles
Annotations role | Permissions |
---|---|
Healthcare Annotation Administrator( Administer Annotation stores. |
|
Healthcare Annotation Store Viewer( List Annotation Stores in a dataset. |
|
Healthcare Annotation Reader( Read and list annotations in an Annotation store. |
|
Healthcare Annotation Editor( Create, delete, update, read and list annotations. |
|
Consent store roles
Consent store role | Permissions |
---|---|
Healthcare Consent Store Viewer( List Consent Stores in a dataset. |
|
Healthcare Consent Store Administrator( Administer Consent stores. |
|
Consents roles
Consents role | Permissions |
---|---|
Healthcare Attribute Definition Reader( Read AttributeDefinition objects in a consent store. |
|
Healthcare Attribute Definition Editor( Edit AttributeDefinition objects. |
|
Healthcare Consent Artifact Reader( Read ConsentArtifact objects in a consent store. |
|
Healthcare Consent Artifact Editor( Edit ConsentArtifact objects. |
|
Healthcare Consent Artifact Administrator( Administer ConsentArtifact objects. |
|
Healthcare Consent Reader( Read Consent objects in a consent store. |
|
Healthcare Consent Editor( Edit Consent objects. |
|
Healthcare User Data Mapping Reader( Read UserDataMapping objects in a consent store. |
|
Healthcare User Data Mapping Editor( Edit UserDataMapping objects. |
|
Datasets roles
Datasets role | Permissions |
---|---|
Healthcare Dataset Viewer( List the Healthcare Datasets in a project. |
|
Healthcare Dataset Administrator( Administer Healthcare Datasets. |
|
DICOM store roles
DICOM store role | Permissions |
---|---|
Healthcare DICOM Store Viewer( List DICOM Stores in a dataset. |
|
Healthcare DICOM Store Administrator( Administer DICOM stores. |
|
Healthcare DICOM Viewer( Retrieve DICOM images from a DICOM store. |
|
Healthcare DICOM Editor( Edit DICOM images individually and in bulk. |
|
FHIR store roles
FHIR store role | Permissions |
---|---|
Healthcare FHIR Store Viewer( List FHIR Stores in a dataset. |
|
Healthcare FHIR Store Administrator( Administer FHIR resource stores. |
|
Healthcare FHIR Resource Reader( Read and search FHIR resources. |
|
Healthcare FHIR Resource Editor( Create, delete, update, read and search FHIR resources. |
|
HL7v2 store roles
HL7v2 store role | Permissions |
---|---|
Healthcare HL7v2 Store Viewer( View HL7v2 Stores in a dataset. |
|
Healthcare HL7v2 Store Administrator( Administer HL7v2 Stores. |
|
Healthcare HL7v2 Message Ingest( Ingest HL7v2 messages received from a source network. |
|
Healthcare HL7v2 Message Consumer( List and read HL7v2 messages, update message labels, and publish new messages. |
|
Healthcare HL7v2 Message Editor( Read, write, and delete access to HL7v2 messages. |
|
Healthcare Natural Language API roles
Healthcare Natural Language API role | Permissions |
---|---|
Healthcare NLP Service Viewer Beta( Extract and analyze medical entities from a given text. |
|
Cloud Healthcare Service Agent
The Cloud Healthcare Service Agent is a shared service account in your project that Cloud Healthcare API uses to interact with other resources in Google Cloud.
For example, this service agent is used to read and write to Cloud Storage buckets, write to BigQuery, and to publish messages to Pub/Sub from the Cloud Healthcare API.
To execute any of the preceding actions, you must give the Cloud Healthcare Service Agent access to the relevant Cloud Storage bucket, BigQuery dataset, or Pub/Sub topic.
As you create a permission model for your project, remember that granting any of the roles listed below allows the user to invoke operations that run as the Cloud Healthcare Service Agent and have access to any data that the agent has access to:
roles/healthcare.consentStoreAdmin
roles/healthcare.consentStoreViewer
roles/healthcare.dicomStoreEditor
roles/healthcare.dicomStoreViewer
roles/healthcare.fhirStoreAdmin
roles/healthcare.hl7V2StoreAdmin
Similarly, assigning the following permissions to custom roles would also allow the user to invoke operations that will run as the Cloud Healthcare Service Agent:
healthcare.consentStores.queryAccessibleData
healthcare.dicomStores.create
healthcare.dicomStores.update
healthcare.dicomStores.import
healthcare.dicomStores.export
healthcare.fhirStores.create
healthcare.fhirStores.update
healthcare.fhirStores.import
healthcare.fhirStores.export
healthcare.hl7V2Stores.create
healthcare.hl7V2Stores.update
For example:
- If a user has any import permissions, then the user can run operations that act as the Cloud Healthcare Service Agent if those operations access any Cloud Storage buckets that the Cloud Healthcare Service Agent has read access to.
- If a user has any export permissions, then the user can run operations that act as the Cloud Healthcare Service Agent if those operations access any bucket that the service agent has write access to.
- A user who has create or update data store permissions has the ability to configure Pub/Sub notification targets or BigQuery streaming destinations that are sent by the Cloud Healthcare Service Agent when changes are made to the data store.
As a best practice, leverage multiple projects to further isolate the permissions given to the Cloud Healthcare Service Agent.