提供意見
使用 IAM 控管存取權
透過集合功能整理內容
你可以依據偏好儲存及分類內容。
總覽
Cloud Healthcare API 使用身分與存取權管理 (IAM) 控管存取權。
在 Cloud Healthcare API 中,您可在專案、資料集或資料儲存庫層級設定存取權控管。舉例來說,您可以授權一組開發人員,讓他們存取某個專案中的所有資料集。如要瞭解如何設定 IAM 並搭配 Cloud Healthcare API 使用,請參閱「控管存取權 」和「控管其他產品的存取權 」。
如需 IAM 和其功能的詳細說明,請參閱 IAM 說明文件 。特別是管理 IAM 政策 一節。
每個 Cloud Healthcare API 方法都會要求呼叫者具備必要權限,詳情請參閱「權限 」和「角色 」。
權限
下表列出與 Cloud Healthcare API 相關的 IAM 權限。表格中的方法名稱已縮短,每個方法的完整名稱開頭都是 projects.locations.。
同意聲明儲存庫方法
同意聲明儲存庫方法
所需權限
datasets.consentStores.checkDataAccesshealthcare.consentStores.checkDataAccess。
datasets.consentStores.create父項資料集上的 healthcare.consentStores.create。
datasets.consentStores.deletehealthcare.consentStores.delete。
datasets.consentStores.evaluateUserConsentshealthcare.consentStores.evaluateUserConsents。
datasets.consentStores.gethealthcare.consentStores.get。
datasets.consentStores.getIamPolicyhealthcare.consentStores.getIamPolicy。
datasets.consentStores.list父項資料集上的 healthcare.consentStores.list。
datasets.consentStores.patchhealthcare.consentStores.update。
datasets.consentStores.queryAccessibleDatahealthcare.consentStores.queryAccessibleData。
datasets.consentStores.setIamPolicyhealthcare.consentStores.setIamPolicy。
datasets.consentStores.attributeDefinitions.createhealthcare.attributeDefinitions.create。
datasets.consentStores.attributeDefinitions.deletehealthcare.attributeDefinitions.delete 要求的屬性定義資源。
datasets.consentStores.attributeDefinitions.gethealthcare.attributeDefinitions.get 要求的屬性定義資源。
datasets.consentStores.attributeDefinitions.listhealthcare.attributeDefinitions.list。
datasets.consentStores.attributeDefinitions.patchhealthcare.attributeDefinitions.update 要求的屬性定義資源。
datasets.consentStores.consentArtifacts.createhealthcare.consentArtifacts.create。
datasets.consentStores.consentArtifacts.deletehealthcare.consentArtifacts.delete 要求的同意聲明構件資源。
datasets.consentStores.consentArtifacts.gethealthcare.consentArtifacts.get 要求的同意聲明構件資源。
datasets.consentStores.consentArtifacts.listhealthcare.consentArtifacts.list。
datasets.consentStores.consents.createhealthcare.consents.create。
datasets.consentStores.consents.deletehealthcare.consents.delete 要求的同意聲明資源。
datasets.consentStores.consents.gethealthcare.consents.get 要求的同意聲明資源。
datasets.consentStores.consents.listhealthcare.consents.list。
datasets.consentStores.consents.patchhealthcare.consents.update 要求的同意聲明資源。
datasets.consentStores.consents.revokehealthcare.consents.revoke 要求的同意聲明資源。
datasets.consentStores.userDataMappings.archivehealthcare.userDataMappings.archive 要求的使用者資料對應資源。
datasets.consentStores.userDataMappings.createhealthcare.userDataMappings.create。
datasets.consentStores.userDataMappings.deletehealthcare.userDataMappings.delete 要求的使用者資料對應資源。
datasets.consentStores.userDataMappings.gethealthcare.userDataMappings.get 要求的使用者資料對應資源。
datasets.consentStores.userDataMappings.listhealthcare.userDataMappings.list。
datasets.consentStores.userDataMappings.patchhealthcare.userDataMappings.update 要求的使用者資料對應資源。
資料集方法
資料集方法
所需權限
datasets.create上層專案的 healthcare.datasets.create 權限。 Google Cloud
datasets.deidentify來源資料集的 healthcare.datasets.deidentify 權限。 healthcare.datasets.create Google Cloud 目的地資料集所屬專案。
datasets.deletehealthcare.datasets.delete 要求的資料集。
datasets.gethealthcare.datasets.get 要求的資料集。
datasets.getIamPolicyhealthcare.datasets.getIamPolicy 要求的資料集。
datasets.list上層專案的 healthcare.datasets.list 權限。 Google Cloud
datasets.patchhealthcare.datasets.update 要求的資料集。
datasets.setIAMPolicyhealthcare.datasets.setIamPolicy 要求的資料集。
DICOM 儲存庫方法
DICOM 儲存庫方法
所需權限
datasets.dicomStores.create父項資料集上的 healthcare.dicomStores.create。
datasets.dicomStores.deidentify來源 DICOM 儲存庫上的 healthcare.dicomStores.deidentify。 目的地 DICOM 儲存庫上的 healthcare.dicomStores.dicomWebWrite。
datasets.dicomStores.delete要求的 DICOM 儲存庫。healthcare.dicomStores.delete
datasets.dicomStores.export要求的 DICOM 儲存庫。healthcare.dicomStores.export 匯出至 Cloud Storage 時:roles/storage.objectAdmin 授予專案的 Cloud Healthcare Service Agent 服務帳戶。如需操作說明,請參閱「將資料匯出至 Cloud Storage 」。 匯出至 BigQuery 時:roles/bigquery.dataEditor 和 roles/bigquery.jobUser 授予專案的 Cloud Healthcare 服務代理程式 服務帳戶。如需操作說明,請參閱「DICOM 儲存庫 BigQuery 權限 」。
datasets.dicomStores.get要求的 DICOM 儲存庫。healthcare.dicomStores.get
datasets.dicomStores.getIamPolicy要求的 DICOM 儲存庫。healthcare.dicomStores.getIamPolicy
datasets.dicomStores.import要求的 DICOM 儲存庫。healthcare.dicomStores.import roles/storage.objectViewer 授予專案的 Cloud Healthcare Service Agent 服務帳戶。如需操作說明,請參閱「從 Cloud Storage 匯入資料 」。
datasets.dicomStores.list父項資料集上的 healthcare.dicomStores.list。
datasets.dicomStores.patch要求的 DICOM 儲存庫。healthcare.dicomStores.update
datasets.dicomStores.searchForInstances要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.searchForSeries要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.searchForStudies要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.setIamPolicy要求的 DICOM 儲存庫。healthcare.dicomStores.setIamPolicy
datasets.dicomStores.storeInstances要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebWrite
datasets.dicomStores.studies.delete要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebDelete
datasets.dicomStores.studies.retrieveMetadata要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.studies.retrieveStudy要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.studies.searchForInstances要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.studies.searchForSeries要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.studies.storeInstances要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebWrite
datasets.dicomStores.studies.updateInstances要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebUpdate
datasets.dicomStores.studies.updateMetadata要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebUpdate
datasets.dicomStores.studies.series.delete要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebDelete
datasets.dicomStores.studies.series.retrieveMetadata要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.studies.series.retrieveSeries要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.studies.series.searchForInstances要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.studies.series.updateMetadata要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebUpdate
datasets.dicomStores.studies.series.instances.delete要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebDelete
datasets.dicomStores.studies.series.instances.retrieveInstance要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.studies.series.instances.retrieveMetadata要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.studies.series.instances.retrieveRendered要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.studies.series.instances.updateMetadata要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebUpdate
datasets.dicomStores.studies.series.instances.frames.retrieveFrames要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.studies.series.instances.frames.retrieveRendered要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
datasets.dicomStores.studies.series.instances.bulkdata.retrieveBulkdata要求的 DICOM 儲存庫。healthcare.dicomStores.dicomWebRead
FHIR 儲存庫方法
FHIR 儲存庫方法
所需權限
datasets.fhirStores.applyConsents所要求的 FHIR 存放區資源。healthcare.fhirStores.applyConsents
datasets.fhirStores.applyAdminConsents所要求的 FHIR 存放區資源。healthcare.fhirStores.applyConsents
datasets.fhirStores.configureSearchhealthcare.fhirStores.configureSearch。
datasets.fhirStores.create父項資料集上的 healthcare.fhirStores.create。
datasets.fhirStores.deidentify來源 FHIR 儲存庫的 healthcare.fhirStores.deidentify。 目的地 FHIR 儲存庫的 healthcare.fhirResources.update。
datasets.fhirStores.deletehealthcare.fhirStores.delete。
datasets.fhirStores.explainDataAccess所要求的 FHIR 存放區資源。healthcare.fhirStores.explainDataAccess
datasets.fhirStores.exporthealthcare.fhirStores.export。匯出至 Cloud Storage 時:授予專案的 Cloud Healthcare Service Agent 服務帳戶 storage.objects.create、storage.objects.delete 和 storage.objects.list。如需操作說明,請參閱「將 FHIR 資源匯出至 Cloud Storage 」。 匯出至 BigQuery 時:roles/bigquery.dataEditor 和 roles/bigquery.jobUser 授予專案的 Cloud Healthcare 服務代理程式 服務帳戶。如需操作說明,請參閱「FHIR 儲存庫 BigQuery 權限 」。
datasets.fhirStores.gethealthcare.fhirStores.get。
datasets.fhirStores.getFHIRStoreMetricshealthcare.fhirStores.get。
datasets.fhirStores.getIamPolicyhealthcare.fhirStores.getIamPolicy。
datasets.fhirStores.importhealthcare.fhirStores.import。storage.objects.get 和 storage.objects.list 授予專案的 Cloud Healthcare Service Agent 服務帳戶。如需操作說明,請參閱「從 Cloud Storage 匯入 FHIR 資源 」。
datasets.fhirStores.list父項資料集上的 healthcare.fhirStores.list。
datasets.fhirStores.patchhealthcare.fhirStores.update。
datasets.fhirStores.rollbackhealthcare.fhirStores.rollback。
datasets.fhirStores.setIamPolicyhealthcare.fhirStores.setIamPolicy。
datasets.fhirStores.fhir.Encounter-everything對每個傳回的資源呼叫 healthcare.fhirResources.get。
datasets.fhirStores.fhir.Observation-lastn上層 FHIR 儲存庫的 healthcare.fhirStores.searchResources。
datasets.fhirStores.fhir.Patient-everything對每個傳回的資源呼叫 healthcare.fhirResources.get。
datasets.fhirStores.fhir.Resource-purge所要求的 FHIR 存放區資源。healthcare.fhirResources.purge
datasets.fhirStores.fhir.capabilitieshealthcare.fhirStores.get。
datasets.fhirStores.fhir.conditionalDelete上層 FHIR 儲存庫的 healthcare.fhirStores.searchResources。 所要求的 FHIR 存放區資源。healthcare.fhirResources.delete
datasets.fhirStores.fhir.conditionalPatch上層 FHIR 儲存庫的 healthcare.fhirStores.searchResources。 所要求的 FHIR 存放區資源。healthcare.fhirResources.patch
datasets.fhirStores.fhir.conditionalUpdate上層 FHIR 儲存庫的 healthcare.fhirStores.searchResources。 所要求的 FHIR 存放區資源。healthcare.fhirResources.update
datasets.fhirStores.fhir.create條件式建立互動:父項 FHIR 儲存庫上的 healthcare.fhirResources.create 和 healthcare.fhirStores.searchResources。 如要建立互動:父項 FHIR 儲存庫上的 healthcare.fhirResources.create。
datasets.fhirStores.fhir.delete所要求的 FHIR 存放區資源。healthcare.fhirResources.delete
datasets.fhirStores.fhir.executeBundle要求的 FHIR 存放區,以及與套件中個別作業對應的其他權限 (例如 healthcare.fhirResources.create 和 healthcare.fhirResources.update)。healthcare.fhirResources.executeBundle如果 API 呼叫者具有 healthcare.fhirResources.create 權限,但沒有 healthcare.fhirResources.update 權限,則只能執行包含 healthcare.fhirResources.create 作業的套件。
datasets.fhirStores.fhir.historyhealthcare.fhirResources.get,以及每個版本。
datasets.fhirStores.fhir.patch所要求的 FHIR 存放區資源。healthcare.fhirResources.patch
datasets.fhirStores.fhir.read所要求的 FHIR 存放區資源。healthcare.fhirResources.get
datasets.fhirStores.fhir.search上層 FHIR 儲存庫的 healthcare.fhirStores.searchResources。
datasets.fhirStores.fhir.update所要求的 FHIR 存放區資源。healthcare.fhirResources.update
datasets.fhirStores.fhir.vreadhealthcare.fhirResources.get。
datasets.fhirStores.fhir.Patient-consent-enforcement-statushealthcare.fhirResources.get 要求的 FHIR 儲存庫病患資源。
datasets.fhirStores.fhir.Consent-enforcement-status在要求的 FHIR 存放區同意聲明資源上。healthcare.fhirResources.get
HL7v2 儲存庫方法
HL7v2 儲存庫方法
所需權限
datasets.hl7V2Stores.create父項資料集上的 healthcare.hl7V2Stores.create。
datasets.hl7V2Stores.delete要求的 HL7v2 儲存庫上。healthcare.hl7V2Stores.delete
datasets.hl7V2Stores.export要求的 HL7v2 儲存庫上。healthcare.hl7V2Stores.export
datasets.hl7V2Stores.get要求的 HL7v2 儲存庫上。healthcare.hl7V2Stores.get
datasets.hl7V2Stores.import要求的 HL7v2 儲存庫上。healthcare.hl7V2Stores.import
datasets.hl7V2Stores.list父項資料集上的 healthcare.hl7V2Stores.list。
datasets.hl7V2Stores.patch要求的 HL7v2 儲存庫上。healthcare.hl7V2Stores.update
datasets.hl7V2Stores.getIamPolicy要求的 HL7v2 儲存庫上。healthcare.hl7V2Stores.getIamPolicy
datasets.hl7V2Stores.setIamPolicy要求的 HL7v2 儲存庫上。healthcare.hl7V2Stores.setIamPolicy
datasets.hl7V2Stores.messages.create父項 HL7v2 儲存庫的 healthcare.hl7V2Messages.create。
datasets.hl7V2Stores.messages.delete要求的 HL7v2 儲存庫訊息。healthcare.hl7V2Messages.delete
datasets.hl7V2Stores.messages.get要求的 HL7v2 儲存庫訊息。healthcare.hl7V2Messages.get
datasets.hl7V2Stores.messages.ingest要求的 HL7v2 儲存庫訊息。healthcare.hl7V2Messages.ingest
datasets.hl7V2Stores.messages.list父項 HL7v2 儲存庫的 healthcare.hl7V2Messages.list。
datasets.hl7V2Stores.messages.patch要求的 HL7v2 儲存庫訊息。healthcare.hl7V2Messages.update
位置方法
位置方法
所需權限
locations.gethealthcare.locations.get 位於要求的位置。
locations.list上層專案的 healthcare.locations.list 權限。 Google Cloud
Healthcare Natural Language API 方法
Healthcare Natural Language API 方法
所需權限
nlp.analyzeEntitieshealthcare.nlpservice.analyzeEntities
操作方法
操作方法
必要權限
datasets.operations.gethealthcare.operations.get 要求的資料集。
datasets.operations.listhealthcare.operations.list 要求的資料集。
datasets.operations.cancelhealthcare.operations.cancel 要求的資料集。
去識別化方法
去識別化方法
必要權限
services.deidentify.deidentifyDicomInstancehealthcare.deidentify.run
services.deidentify.deidentifyFhirResourcehealthcare.deidentify.run
角色
下表列出 Cloud Healthcare API IAM 角色,以及與各角色相關聯的權限。roles/owner、roles/editor 和 roles/viewer 角色也具備其他 Google Cloud 服務的權限。如要進一步瞭解角色,請參閱「瞭解角色 」。
注意: 在商店層級授予檢視者角色 (例如 roles/healthcare.dicomViewer),不會同時授予資料集角色。如要查看資料集的長時間執行作業,您也必須授予資料集檢視者角色 (例如 roles/healthcare.datasetViewer) 或資料儲存庫檢視者角色 (例如 roles/healthcare.dicomViewer)。 同意聲明儲存庫角色
同意聲明儲存庫角色
權限
Healthcare Consent Store Viewer
(roles/)
可列出資料集中的同意聲明存放區。
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare 同意聲明庫管理員
(roles/)
可管理同意聲明存放區。
healthcare.consentStores.*
healthcare.healthcare.healthcare.healthcare.healthcare.consentStores.gethealthcare.healthcare.consentStores.listhealthcare.healthcare.healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
同意聲明角色
同意聲明角色
權限
Healthcare 屬性定義讀取者
(roles/)
可讀取同意聲明存放區中的 AttributeDefinition 物件。
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare 屬性定義編輯者
(roles/)
可編輯 AttributeDefinition 物件。
healthcare.
healthcare.healthcare.healthcare.healthcare.healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare 同意聲明構件讀取者
(roles/)
可讀取同意聲明存放區中的 ConsentArtifact 物件。
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare 同意聲明構件編輯者
(roles/)
編輯 ConsentArtifact 物件。
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Administrator
(roles/)
管理 ConsentArtifact 物件。
healthcare.consentArtifacts.*
healthcare.healthcare.healthcare.healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Reader
(roles/)
可讀取同意聲明存放區中的同意聲明物件。
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.consents.get
healthcare.consents.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare 同意聲明編輯者
(roles/)
編輯 Consent 物件。
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.consents.*
healthcare.consents.activatehealthcare.consents.createhealthcare.consents.deletehealthcare.consents.gethealthcare.consents.listhealthcare.consents.rejecthealthcare.consents.revokehealthcare.consents.update
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare 使用者資料對應關係讀取者
(roles/)
可讀取同意聲明存放區中的 UserDataMapping 物件。
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
healthcare.
healthcare.
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare 使用者資料對應關係編輯者
(roles/)
可編輯 UserDataMapping 物件。
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
healthcare.userDataMappings.*
healthcare.healthcare.healthcare.healthcare.healthcare.healthcare.
resourcemanager.projects.get
resourcemanager.projects.list
資料集角色
資料集角色
權限
Healthcare 資料集檢視者
(roles/)
可在專案中列出 Healthcare 資料集。
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare 資料集管理員
(roles/)
可管理 Healthcare 資料集。
healthcare.datasets.*
healthcare.datasets.createhealthcare.datasets.deidentifyhealthcare.datasets.deletehealthcare.datasets.gethealthcare.healthcare.datasets.listhealthcare.healthcare.datasets.update
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.*
healthcare.operations.cancelhealthcare.operations.gethealthcare.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
DICOM 儲存庫角色
DICOM 儲存庫角色
權限
Healthcare DICOM Store 檢視者
(roles/)
可列出資料集中的 DICOM Store。
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM 存放區管理員
(roles/)
可以管理 DICOM Store。
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.create
healthcare.
healthcare.dicomStores.delete
healthcare.
healthcare.dicomStores.get
healthcare.
healthcare.dicomStores.list
healthcare.
healthcare.dicomStores.update
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM 檢視者
(roles/)
可以從 DICOM Store 擷取 DICOM 映像檔。
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM 編輯者
(roles/)
可個別以及大量編輯 DICOM 映像檔。
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.
healthcare.
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.import
healthcare.dicomStores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
FHIR 儲存庫角色
FHIR 存放區角色
權限
Healthcare FHIR Store 檢視者
(roles/)
可列出資料集中的 FHIR Store。
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR 存放區管理員
(roles/)
可管理 FHIR 資源存放區。
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.purge
healthcare.
healthcare.
healthcare.fhirStores.create
healthcare.
healthcare.fhirStores.delete
healthcare.
healthcare.
healthcare.fhirStores.export
healthcare.fhirStores.get
healthcare.
healthcare.
healthcare.fhirStores.import
healthcare.fhirStores.list
healthcare.fhirStores.rollback
healthcare.
healthcare.fhirStores.update
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR 資源讀取者
(roles/)
讀取及搜尋 FHIR 資源。
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.get
healthcare.
healthcare.
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR 資源編輯者
(roles/)
建立、刪除、更新、讀取及搜尋 FHIR 資源。
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.
healthcare.fhirResources.get
healthcare.fhirResources.patch
healthcare.
healthcare.
healthcare.
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
HL7v2 儲存庫角色
HL7v2 儲存庫角色
權限
Healthcare HL7v2 Store 檢視者
(roles/)
可檢視資料集中的 HL7v2 Store。
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Store 管理員
(roles/)
可管理 HL7v2 Store。
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.*
healthcare.hl7V2Stores.createhealthcare.hl7V2Stores.deletehealthcare.hl7V2Stores.exporthealthcare.hl7V2Stores.gethealthcare.healthcare.hl7V2Stores.importhealthcare.hl7V2Stores.listhealthcare.healthcare.healthcare.hl7V2Stores.update
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 訊息擷取者
(roles/)
可擷取來源網路發送的 HL7v2 訊息。
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 訊息使用者
(roles/)
可列出和讀取 HL7v2 訊息、更新訊息標籤及發布新訊息。
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.hl7V2Messages.get
healthcare.hl7V2Messages.list
healthcare.
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 訊息編輯者
(roles/)
具備 HL7v2 訊息的讀取、寫入及刪除存取權。
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.*
healthcare.healthcare.healthcare.hl7V2Messages.gethealthcare.healthcare.hl7V2Messages.listhealthcare.
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Natural Language API 角色
Healthcare Natural Language API 角色
權限
醫療照護自然語言處理服務檢視者
Beta 版
(roles/)
從指定的文字中擷取及分析醫學實體。
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Healthcare 服務代理人
Cloud Healthcare Service Agent 是專案中共用的服務帳戶 ,Cloud Healthcare API 會使用這個帳戶與Google Cloud中的其他資源互動。
舉例來說,這個服務代理程式可用於讀取及寫入 Cloud Storage 值區、寫入 BigQuery,以及從 Cloud Healthcare API 將訊息發布至 Pub/Sub。
如要執行上述任何動作,您必須授予Cloud Healthcare 服務代理 相關 Cloud Storage 值區、BigQuery 資料集或 Pub/Sub 主題的存取權。
為專案建立權限模型時,請注意,授予下列任一角色,使用者就能以 Cloud Healthcare 服務代理 的身分叫用作業,並存取該代理可存取的任何資料:
roles/healthcare.consentStoreAdminroles/healthcare.consentStoreViewerroles/healthcare.dicomStoreEditorroles/healthcare.dicomStoreViewerroles/healthcare.fhirStoreAdminroles/healthcare.hl7V2StoreAdmin
同樣地,將下列權限指派給自訂角色,也會允許使用者叫用以「Cloud Healthcare 服務代理」
healthcare.consentStores.queryAccessibleDatahealthcare.dicomStores.createhealthcare.dicomStores.updatehealthcare.dicomStores.importhealthcare.dicomStores.exporthealthcare.fhirStores.createhealthcare.fhirStores.updatehealthcare.fhirStores.importhealthcare.fhirStores.exporthealthcare.hl7V2Stores.createhealthcare.hl7V2Stores.update
例如:
如果使用者具備任何匯入權限,且作業會存取 Cloud Healthcare Service Agent 具有讀取權限的任何 Cloud Storage 值區,則使用者可以執行作業,充當 Cloud Healthcare Service Agent 。
如果使用者具備任何匯出權限,且作業會存取服務代理程式具有寫入權限的任何值區,則使用者可以執行作業,充當 Cloud Healthcare Service Agent 。
如果使用者具備建立或更新資料儲存庫的權限,就能設定 Pub/Sub 通知目標或 BigQuery 串流目的地,在資料儲存庫變更時,由 Cloud Healthcare Service Agent 傳送通知。
最佳做法是利用多個專案,進一步隔離授予 Cloud Healthcare 服務代理程式 的權限。
提供意見
除非另有註明,否則本頁面中的內容是採用創用 CC 姓名標示 4.0 授權 ,程式碼範例則為阿帕契 2.0 授權 。詳情請參閱《Google Developers 網站政策 》。Java 是 Oracle 和/或其關聯企業的註冊商標。
上次更新時間:2025-09-04 (世界標準時間)。
想進一步說明嗎?
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eThe Cloud Healthcare API uses Identity and Access Management (IAM) to control access at the project, dataset, or data store level, with specific permissions required for each API method.\u003c/p\u003e\n"],["\u003cp\u003eThe API provides methods for various data store types, including Annotation Stores, Consent Stores, Dataset, DICOM Stores, FHIR Stores, and HL7v2 Stores, each with its own set of create, get, list, delete, and update operations.\u003c/p\u003e\n"],["\u003cp\u003eDifferent roles are defined for managing access to healthcare data, such as Annotation Administrator, Consent Store Viewer, DICOM Store Editor, FHIR Resource Reader, and HL7v2 Store Administrator, each with a specific set of permissions.\u003c/p\u003e\n"],["\u003cp\u003eThe Cloud Healthcare Service Agent is a service account with roles and permissions to interact with Google Cloud resources and can access data based on the permissions granted to it.\u003c/p\u003e\n"],["\u003cp\u003eThe system provides access to data from the Healthcare Natural Language API and the de-identification of DICOM and FHIR resources, as well as methods for retrieving location and operation data.\u003c/p\u003e\n"]]],[],null,["# Access control with IAM\n\nOverview\n--------\n\nThe Cloud Healthcare API uses [Identity and Access Management (IAM)](/iam)\nfor access control.\n\nIn the Cloud Healthcare API, access control can be configured at the\nproject, dataset, or data store level. For example, you can grant access to all\ndatasets within a project to a group of developers. To learn how to set up and\nuse IAM with the Cloud Healthcare API, see\n[Controlling access](/healthcare-api/docs/how-tos/controlling-access) and\n[Controlling access to other products](/healthcare-api/docs/how-tos/permissions-healthcare-api-gcp-products).\n\nFor a detailed description of IAM and its features, see the\n[IAM documentation](/iam/docs).\nIn particular, see the section on\n[managing IAM policies](/iam/docs/granting-changing-revoking-access).\n\nEvery Cloud Healthcare API method requires the caller to have the\nnecessary permissions. See [Permissions](#permissions) and [Roles](#roles)\nfor more information.\n\nPermissions\n-----------\n\nThe following tables list the IAM permissions that are associated with the\nCloud Healthcare API. Method names are shortened in the table;\neach method's full name begins with `projects.locations.`.\n\n### Consent store methods\n\n### Dataset methods\n\n### DICOM store methods\n\n### FHIR store methods\n\n### HL7v2 store methods\n\n### Location methods\n\n### Healthcare Natural Language API methods\n\n### Operation methods\n\n### De-identify methods\n\nRoles\n-----\n\nThe following tables list the Cloud Healthcare API IAM\nroles, including the permissions associated with each role. The roles `roles/owner`, `roles/editor`, and `roles/viewer` include\npermissions for other Google Cloud services. For more information\nabout roles, see [Understanding roles](/iam/docs/understanding-roles).\n| **Note:** Granting viewer roles at the store level, such as `roles/healthcare.dicomViewer`, does not also grant the role for the dataset. To view long-running operations for the dataset, you must also grant either the dataset viewer role, such as `roles/healthcare.datasetViewer`, or the data store viewer role, such as `roles/healthcare.dicomViewer`, for the dataset.\n\n### Consent store roles\n\n### Consents roles\n\n### Datasets roles\n\n### DICOM store roles\n\n### FHIR store roles\n\n### HL7v2 store roles\n\n### Healthcare Natural Language API roles\n\nCloud Healthcare Service Agent\n------------------------------\n\nThe **Cloud Healthcare Service Agent** is a shared\n[service account](/iam/docs/service-accounts) in your project that\nCloud Healthcare API uses to interact with other resources in\nGoogle Cloud.\n\nFor example, this service agent is used to read and write to\nCloud Storage buckets, write to BigQuery, and to publish\nmessages to Pub/Sub from the Cloud Healthcare API.\n\nTo execute any of the preceding actions, you must give the **Cloud Healthcare\nService Agent** access to the relevant Cloud Storage bucket,\nBigQuery dataset, or Pub/Sub topic.\n\nAs you create a permission model for your project, remember that granting any of\nthe roles listed below allows the user to invoke operations that run as the\n**Cloud Healthcare Service Agent** and have access to any data that the agent\nhas access to:\n\n- `roles/healthcare.consentStoreAdmin`\n- `roles/healthcare.consentStoreViewer`\n- `roles/healthcare.dicomStoreEditor`\n- `roles/healthcare.dicomStoreViewer`\n- `roles/healthcare.fhirStoreAdmin`\n- `roles/healthcare.hl7V2StoreAdmin`\n\nSimilarly, assigning the following permissions to custom roles would also allow\nthe user to invoke operations that will run as the **Cloud Healthcare Service\nAgent**:\n\n- `healthcare.consentStores.queryAccessibleData`\n- `healthcare.dicomStores.create`\n- `healthcare.dicomStores.update`\n- `healthcare.dicomStores.import`\n- `healthcare.dicomStores.export`\n- `healthcare.fhirStores.create`\n- `healthcare.fhirStores.update`\n- `healthcare.fhirStores.import`\n- `healthcare.fhirStores.export`\n- `healthcare.hl7V2Stores.create`\n- `healthcare.hl7V2Stores.update`\n\nFor example:\n\n- If a user has any import permissions, then the user can run operations that act as the **Cloud Healthcare Service Agent** if those operations access any Cloud Storage buckets that the **Cloud Healthcare Service Agent** has read access to.\n- If a user has any export permissions, then the user can run operations that act as the **Cloud Healthcare Service Agent** if those operations access any bucket that the service agent has write access to.\n- A user who has create or update data store permissions has the ability to configure Pub/Sub notification targets or BigQuery streaming destinations that are sent by the **Cloud\n Healthcare Service Agent** when changes are made to the data store.\n\nAs a best practice, leverage multiple projects to further isolate the\npermissions given to the **Cloud Healthcare Service Agent**."]]
