本页面介绍如何创建、更新和撤消用户许可。
您的应用会分别记录许可工件和许可。Consent Management API 会将与用户的许可相关的敏感数据存储为 ConsentArtifact。ConsentArtifact 可以包括签名时间戳和签名图片,或者其他作为许可“证据”的文档。
Consent Management API 将非敏感许可数据存储为 Consent 对象。Consent 包括不透明的用户 ID、用户批准的许可政策以及许可政策的状态。
由于许可和许可工件具有不同的资源路径,因此可以分别设置它们的权限,以尽量缩小对许可工件中敏感许可数据的访问权限。
许可支持到期时间,您可以配置许可何时到期并失效。到期时间可以设为特定日期或时间段,例如一年。
在许可存储区创建期间,您可以为许可存储区配置默认的到期时间。在许可创建期间,您可以为许可配置到期时间。在许可创建期间设置的到期时间将替换您为许可存储区设置的默认时间。
可以创建 ACTIVE 或 DRAFT 状态的许可。Consent Management API 使用 ACTIVE 状态的许可来进行访问权限判定。仅当在访问权限判定请求中指定了 DRAFT 状态的许可时,它们才会在访问权限判定中使用。您可以通过更新许可将状态从 DRAFT 更改为 ACTIVE 或 REJECTED。
要记录用户许可,请使用 projects.locations.datasets.consentStores.consentArtifacts.create 方法创建许可工件,然后将该工件关联到使用 projects.locations.datasets.consentStores.consents.create 方法创建的许可。
创建许可工件
许可工件存储与用户许可相关的敏感数据。许可工件可以包括用户的联系信息、签名时间戳和签名图片,或者其他作为许可“证据”的文档。
要创建许可工件,请使用 projects.locations.datasets.consentStores.consentArtifacts.create 方法。发出 POST 请求并在请求中指定以下信息:
- 父许可存储区的名称。
- 代表提供许可的用户的唯一且不透明的用户 ID。
- 用户的签名,可以选择包括签名图片、时间戳和其他元数据。此图片可以指定为 Cloud Storage 中的图片位置,也可以指定为一串原始字节。
- (可选)监护人或见证者签名。
- (可选)作为许可“证据”的图片或文档,例如签名图片、移动许可流的屏幕截图或签名的 PDF 文档。这些图片可以指定为 Cloud Storage 中的位置,也可以指定为一串原始字节。
- 向用户显示的许可信息的标识符。
- (可选)与用户许可相关的元数据。
- 访问令牌。
curl
以下示例展示了使用 curl 的 POST 请求。
curl -X POST \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/consent+json; charset=utf-8" \
--data "{
'user_id': 'USER_ID',
'user_signature' : {
'user_id': 'USER_ID',
'image': {
'gcs_uri': 'gs://IMG_URI' },
'signature_time': {
'seconds': EPOCH_SECONDS },
},
'consent_content_screenshots': [
{ 'raw_bytes': 'BASE_64_IMAGE' }],
'consent_content_version': 'v1',
'metadata': {'client': 'mobile'}
}" \
"https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts"
如果请求成功,则服务器返回 JSON 格式的类似下列示例的响应:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_RESOURCE_ID",
"userId": "USER_ID",
"userSignature": {
"userId": "USER_ID",
"signatureTime": "SIGNATURE_TIME"
},
"consentContentVersion": "v1",
"metadata": {
"client": "mobile"
}
}
PowerShell
以下示例展示了使用 Windows PowerShell 的 POST 请求:
$cred = gcloud auth application-default print-access-token
$headers = @{ Authorization = "Bearer $cred" }
Invoke-WebRequest `
-Method Post `
-Headers $headers `
-ContentType: "application/consent+json; charset=utf-8" `
-Body "{
'user_id': 'USER_ID',
'user_signature' : {
'user_id': 'USER_ID',
'image': {
'gcs_uri': 'gs://IMG_URI' },
'signature_time': {
'seconds': EPOCH_SECONDS }
},
'consent_content_screenshots': [
{ 'raw_bytes': 'BASE_64_IMAGE' }],
'consent_content_version': 'v1',
'metadata': {'client': 'mobile'}
}" `
-Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts" | Select-Object -Expand Content
如果请求成功,则服务器会返回 JSON 格式的以下响应:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_RESOURCE_ID",
"userId": "USER_ID",
"userSignature": {
"userId": "USER_ID",
"signatureTime": "SIGNATURE_TIME"
},
"consentContentVersion": "v1",
"metadata": {
"client": "mobile"
}
}
创建许可
许可存储非敏感数据,包括不透明的用户 ID、用户批准的许可政策以及许可政策当前是否有效。
要创建许可,请使用 projects.locations.datasets.consentStores.consents.create 方法。发出 POST 请求并在请求中指定以下信息:
- 父许可存储区的名称。
- 代表提供许可的用户的唯一且不透明的用户 ID。
- 最多 10 项许可政策,其中每项政策都具有一组
RESOURCE特性值以及一个用通用表达式语言 (CEL) 表达的授权规则,用于描述用户对之前创建的特性定义的意图。CEL 存在以下限制:- 您最多可以为每项政策定义 10 个逻辑运算符。
- 只能使用 AND (&&)、OR (||) 和 IN 运算符。
- 相应许可工件的 REST 路径(在许可工件创建时返回)。
- (可选)许可状态,
DRAFT或ACTIVE。如果您未指定状态,则创建ACTIVE状态的许可。 - (可选)许可的到期时间,可定义为日期或时间段。该值必须以秒为单位并以字母 s 为后缀。例如
86000s。此值将替换您为许可存储区配置的到期时间。如果您未配置到期时间,资源会继承许可存储区的默认到期时间。如果没有为资源以及存储区指定到期时间,则许可资源不会过期。 - 访问令牌。
curl
以下示例展示了使用 curl 的 POST 请求。
curl -X POST \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/consent+json; charset=utf-8" \
--data "{
\"user_id\": \"USER_ID\",
\"policies\": [{
\"resource_attributes\": [{
\"attribute_definition_id\": \"data_identifiable\",
\"values\": [\"identifiable\"]
}],
\"authorization_rule\": {
\"expression\": \"requester_identity == 'clinical-admin'\",
}
},
{
\"resource_attributes\": [{
\"attribute_definition_id\": \"data_identifiable\",
\"values\": [\"de-identified\"]
}],
\"authorization_rule\": {
\"expression\": \"requester_identity in ['internal-researcher', 'external-researcher']\"
}
}],
\"consent_artifact\": \"projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID\",
\"ttl\": \"EXPIRATION_DURATION\"
}" \
"https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents"
如果请求成功,则服务器会返回类似于以下示例的响应:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID",
"userId": "USER_ID",
"policies": [
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"identifiable"
]
}
],
"authorizationRule": {
"expression": "requester_identity == 'clinical-admin'"
}
},
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"de-identified"
]
}
],
"authorizationRule": {
"expression": "requester_identity in ['internal-researcher', 'external-researcher']"
}
}
],
"consentArtifact": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID",
"state": "CONSENT_STATE",
"stateChangeTime": "STATE_CHANGE_TIME",
"expireTime": "EXPIRE_TIME"
}
PowerShell
以下示例展示了使用 Windows PowerShell 的 POST 请求:
$cred = gcloud auth application-default print-access-token
$headers = @{ Authorization = "Bearer $cred" }
Invoke-WebRequest `
-Method Post `
-Headers $headers `
-ContentType: "application/consent+json; charset=utf-8" `
-Body "{
'user_id': 'USER_ID',
'policies': [{
'resource_attributes': [{
'attribute_definition_id': 'data_identifiable',
'values': ['identifiable']
}],
'authorization_rule': {
'expression': 'requester_identity == \'clinical-admin\'',
}
},{
'resource_attributes': [{
'attribute_definition_id': 'data_identifiable',
'values': ['de-identified']
}],
'authorization_rule': {
'expression': 'requester_identity in [\'internal-researcher\', \'external-researcher\']'
}
}],
'consent_artifact': 'projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID',
'ttl': 'EXPIRATION_DURATION'
}" `
-Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents" | Select-Object -Expand Content
如果请求成功,则服务器会返回类似于以下示例的响应:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID",
"userId": "USER_ID",
"policies": [
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"identifiable"
]
}
],
"authorizationRule": {
"expression": "requester_identity == 'clinical-admin'"
}
},
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"de-identified"
]
}
],
"authorizationRule": {
"expression": "requester_identity in ['internal-researcher', 'external-researcher']"
}
}
],
"consentArtifact": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID",
"state": "CONSENT_STATE",
"stateChangeTime": "STATE_CHANGE_TIME",
"expireTime": "EXPIRE_TIME"
}
获取许可
以下示例展示了如何获取许可。如需了解详情,请参阅 projects.locations.datasets.consentStores.consents.get。
要获取许可,请发出 GET 请求并在请求中指定以下信息:
- 父数据集的名称
- 许可存储区的名称
- 许可的名称
- 访问令牌
curl
以下示例展示了使用 curl 的 GET 请求。
curl -X GET \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
"https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID"
如果请求成功,服务器将以 JSON 格式返回响应:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID",
"userId": "USER_ID",
"policies": [
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"identifiable"
]
}
],
"authorizationRule": {
"expression": "requester_identity == 'clinical-admin'"
}
},
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"de-identified"
]
}
],
"authorizationRule": {
"expression": "requester_identity in ['internal-researcher', 'external-researcher']"
}
}
],
"consentArtifact": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID",
"state": "CONSENT_STATE",
"stateChangeTime": "STATE_CHANGE_TIME",
"revisionCreateTime": "REVISION_CREATE_TIME",
"expireTime": "EXPIRE_TIME"
}
PowerShell
以下示例展示了使用 Windows PowerShell 的 GET 请求:
$cred = gcloud auth application-default print-access-token
$headers = @{ Authorization = "Bearer $cred" }
Invoke-RestMethod `
-Method Get `
-Headers $headers `
-Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID" | ConvertTo-Json
如果请求成功,服务器将以 JSON 格式返回响应:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID",
"userId": "USER_ID",
"policies": [
{
"resourceAttributes": "",
"authorizationRule": "@{expression=requester_identity == 'clinical-admin'}"
},
{
"resourceAttributes": "",
"authorizationRule": "@{expression=requester_identity in ['internal-researcher', 'external-researcher']}"
}
],
"consentArtifact": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID",
"state": "CONSENT_STATE",
"stateChangeTime": "STATE_CHANGE_TIME",
"revisionCreateTime": "REVISION_CREATE_TIME",
"expireTime": "EXPIRE_TIME"
}
列出许可存储区中的许可
以下示例展示了如何列出许可存储区中的许可。
要列出许可存储区中的许可,请使用 projects.locations.datasets.consentStores.consents.list 方法。
curl
要列出许可存储区中的许可,请发出 GET 请求并指定以下信息:
- 父许可存储区的名称
- 基于用户 ID、状态、创建时间或许可工件检索许可的可选搜索过滤条件
- 访问令牌
以下示例展示了使用 curl 的 GET 请求。
curl -X GET \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
"https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents"
如果请求成功,服务器将以 JSON 格式返回响应:
{
"consents": [
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID",
"userId": "USER_ID",
"policies": [
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"identifiable"
]
}
],
"authorizationRule": {
"expression": "requester_identity == 'clinical-admin'"
}
},
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"de-identified"
]
}
],
"authorizationRule": {
"expression": "requester_identity in ['internal-researcher', 'external-researcher']"
}
}
],
"consentArtifact": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID",
"state": "CONSENT_STATE",
"stateChangeTime": "STATE_CHANGE_TIME",
"revisionCreateTime": "REVISION_CREATE_TIME",
"expireTime": "EXPIRE_TIME"
},
{
...
}
]
}
PowerShell
要列出许可存储区中的许可,请发出 GET 请求并指定以下信息:
- 父数据集的名称
- 基于用户 ID、状态、创建时间或许可工件检索许可的可选搜索过滤条件
- 访问令牌
以下示例展示了使用 Windows PowerShell 的 GET 请求。
$cred = gcloud auth application-default print-access-token
$headers = @{ Authorization = "Bearer $cred" }
Invoke-WebRequest `
-Method Get `
-Headers $headers `
-Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents" | Select-Object -Expand Content
如果请求成功,服务器将以 JSON 格式返回响应:
{
"consents": [
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID",
"userId": "USER_ID",
"policies": [
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"identifiable"
]
}
],
"authorizationRule": {
"expression": "requester_identity == 'clinical-admin'"
}
},
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"de-identified"
]
}
],
"authorizationRule": {
"expression": "requester_identity in ['internal-researcher', 'external-researcher']"
}
}
],
"consentArtifact": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID",
"state": "CONSENT_STATE",
"stateChangeTime": "STATE_CHANGE_TIME",
"revisionCreateTime": "REVISION_CREATE_TIME",
"expireTime": "EXPIRE_TIME"
},
{
...
}
]
}
此外,您还可以使用 projects.locations.datasets.consentStores.consents.listRevisions 方法列出特定许可的修订版本。
更新许可
一段时间之后,您可能需要更新许可的状态。为此,您可以更改许可状态。每次更新和更改状态都会生成许可的一个新的修订版本。可以通过将 @{revision_id} 附加到许可的资源名称之后来访问之前的修订版本。
更新许可
要更新活跃或草稿许可的 userId、policies、consentArtifact 或 revokeConsentArtifact 字段,请使用 projects.locations.datasets.consentStores.consents.patch 方法。更改后的新修订版本将会被提交并设置为当前状态。
要更新许可,请发出 PATCH 请求并在请求中指定以下信息:
- 要更新的许可的 REST 路径
- 要更新的字段
- 更新掩码
- 访问令牌
curl
以下示例显示了使用 curl 的 PATCH 请求,它会更新许可工件:
curl -X PATCH \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Type: application/consent+json; charset=utf-8" \
--data "{
\"consentArtifact\": \"projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID\"
}" \
"https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID?updateMask=consentArtifact"
如果请求成功,则服务器返回 JSON 格式的类似下列示例的响应:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID",
"userId": "USER_ID",
"policies": [
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"identifiable"
]
}
],
"authorizationRule": {
"expression": "requester_identity == 'clinical-admin'"
}
},
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"de-identified"
]
}
],
"authorizationRule": {
"expression": "requester_identity in ['internal-researcher', 'external-researcher']"
}
}
],
"consentArtifact": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID",
"state": "ACTIVE",
"stateChangeTime": "STATE_CHANGE_TIME",
"revisionCreateTime": "REVISION_CREATE_TIME",
"expireTime": "EXPIRE_TIME"
}
PowerShell
以下示例显示了使用 Windows PowerShell 的 PATCH 请求,它会更新许可工件:
$cred = gcloud auth application-default print-access-token
$headers = @{ Authorization = "Bearer $cred" }
Invoke-WebRequest `
-Method Patch `
-Headers $headers `
-ContentType: "application/consent+json; charset=utf-8" `
-Body "{
'consentArtifact': 'projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID'
}" `
-Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID?updateMask=consentArtifact" | Select-Object -Expand Content
如果请求成功,则服务器返回 JSON 格式的类似下列示例的响应:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID",
"userId": "USER_ID",
"policies": [
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"identifiable"
]
}
],
"authorizationRule": {
"expression": "requester_identity == 'clinical-admin'"
}
},
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"de-identified"
]
}
],
"authorizationRule": {
"expression": "requester_identity in ['internal-researcher', 'external-researcher']"
}
}
],
"consentArtifact": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID",
"state": "ACTIVE",
"stateChangeTime": "STATE_CHANGE_TIME",
"revisionCreateTime": "REVISION_CREATE_TIME",
"expireTime": "EXPIRE_TIME"
}
激活许可
要在用户接受许可后将许可状态从 DRAFT 更改为 ACTIVE,请使用 projects.locations.datasets.consentStores.consents.activateConsent 方法。状态为 ACTIVE 的新修订版本将会被提交。当许可状态为 ACTIVE 时,该许可将包含在访问权限判定请求中。
要激活许可,请发出 POST 请求并在请求中指定以下信息:
- 要激活的许可的 REST 路径
- 记录许可激活原因的可选工件的 REST 路径
- 访问令牌
curl
以下示例展示了使用 curl 的 POST 请求。
curl -X POST \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Type: application/consent+json; charset=utf-8" \
--data "{
'consent_artifact': 'projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/userConsentArtifacts/CONSENT_ARTIFACT_RESOURCE_ID' \
}" \
"https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID:activate"
如果请求成功,则服务器返回 JSON 格式的类似下列示例的响应:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID",
"userId": "USER_ID",
"policies": [
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"identifiable"
]
}
],
"authorizationRule": {
"expression": "requester_identity == 'clinical-admin'"
}
},
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"de-identified"
]
}
],
"authorizationRule": {
"expression": "requester_identity in ['internal-researcher', 'external-researcher']"
}
}
],
"consentArtifact": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID",
"state": "ACTIVE",
"stateChangeTime": "STATE_CHANGE_TIME",
"expireTime": "EXPIRE_TIME"
}
PowerShell
以下示例展示了使用 Windows PowerShell 的 POST 请求:
$cred = gcloud auth application-default print-access-token
$headers = @{ Authorization = "Bearer $cred" }
Invoke-WebRequest `
-Method Post `
-Headers $headers `
-ContentType: "application/consent+json; charset=utf-8" `
-Body "{
'consent_artifact': '/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/userConsentArtifacts/CONSENT_ARTIFACT_ID'
}" `
-Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID:activate" | Select-Object -Expand Content
如果请求成功,则服务器返回 JSON 格式的类似下列示例的响应:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID",
"userId": "USER_ID",
"policies": [
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"identifiable"
]
}
],
"authorizationRule": {
"expression": "requester_identity == 'clinical-admin'"
}
},
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"de-identified"
]
}
],
"authorizationRule": {
"expression": "requester_identity in ['internal-researcher', 'external-researcher']"
}
}
],
"consentArtifact": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID",
"state": "ACTIVE",
"stateChangeTime": "STATE_CHANGE_TIME",
"expireTime": "EXPIRE_TIME"
}
撤消和拒绝许可
要将许可的状态从 DRAFT 更改为 REJECTED(例如,用户表示不接受许可),请使用 projects.locations.datasets.consentStores.consents.reject 方法。当许可状态为 REJECTED 时,许可不会包含在访问权限判定请求中。
要将许可的状态从 ACTIVE 更改为 REVOKED(例如,用户请求取消之前批准的许可),请使用 projects.locations.datasets.consentStores.consents.revoke 方法。状态为 REVOKED 的新修订版本将会被提交。访问权限判定请求不包含状态为 REVOKED 的许可。您可以创建一个与该许可关联的可选工件,以记录许可被撤消的原因。撤消许可并不会删除许可。
要撤消许可,请发出 POST 请求并在请求中指定以下信息:
- 要撤消的许可的 REST 路径
- 记录许可撤消原因的可选工件的 REST 路径
- 访问令牌
curl
以下示例展示了使用 curl 的 POST 请求。
curl -X POST \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Type: application/consent+json; charset=utf-8" \
--data "{}" \
"https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID:revoke"
如果请求成功,则服务器返回 JSON 格式的类似下列示例的响应:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID",
"userId": "USER_ID",
"policies": [
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"identifiable"
]
}
],
"authorizationRule": {
"expression": "requester_identity == 'clinical-admin'"
}
},
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"de-identified"
]
}
],
"authorizationRule": {
"expression": "requester_identity in ['internal-researcher', 'external-researcher']"
}
}
],
"consentArtifact": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID",
"state": "REVOKED",
"stateChangeTime": "STATE_CHANGE_TIME",
"expireTime": "EXPIRE_TIME"
}
PowerShell
以下示例展示了使用 Windows PowerShell 的 POST 请求:
$cred = gcloud auth application-default print-access-token
$headers = @{ Authorization = "Bearer $cred" }
Invoke-WebRequest `
-Method Post `
-Headers $headers `
-ContentType: "application/consent+json; charset=utf-8" `
-Body "{}" `
-Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID:revoke" | Select-Object -Expand Content
如果请求成功,则服务器返回 JSON 格式的类似下列示例的响应:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consents/CONSENT_ID",
"userId": "USER_ID",
"policies": [
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"identifiable"
]
}
],
"authorizationRule": {
"expression": "requester_identity == 'clinical-admin'"
}
},
{
"resourceAttributes": [
{
"attributeDefinitionId": "data_identifiable",
"values": [
"de-identified"
]
}
],
"authorizationRule": {
"expression": "requester_identity in ['internal-researcher', 'external-researcher']"
}
}
],
"consentArtifact": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/consentArtifacts/CONSENT_ARTIFACT_ID",
"state": "REVOKED",
"stateChangeTime": "STATE_CHANGE_TIME",
"expireTime": "EXPIRE_TIME"
}