Overview
The Cloud Healthcare API uses Cloud Identity and Access Management (Cloud IAM) for access control.
In the Cloud Healthcare API, access control can be configured at the project, dataset, or data store level. Access control can also be configured for FHIR store security labels (v1alpha2 only). For example, you can grant access to all datasets within a project to a group of developers. To learn how to set up and use Cloud IAM with the Cloud Healthcare API, see Controlling access and Controlling access to other products.
For a detailed description of IAM and its features, see the Cloud IAM documentation. In particular, see the section on managing Cloud IAM policies.
Every Cloud Healthcare API method requires the caller to have the necessary permissions. See Permissions and Roles for more information.
Permissions
This section summarizes the Cloud Healthcare API permissions that Cloud IAM supports.
Required permissions
The following tables list the IAM permissions that are associated with
the Cloud Healthcare API. Note that method names are shortened in the table;
each method's full name begins with projects.locations
.
Datasets method | Required permissions |
---|---|
datasets.create |
healthcare.datasets.create on the parent Google Cloud project. |
datasets.deidentify |
|
datasets.delete |
healthcare.datasets.delete on the requested dataset. |
datasets.get |
healthcare.datasets.get on the requested dataset. |
datasets.getIamPolicy |
healthcare.datasets.getIamPolicy on the requested dataset. |
datasets.list |
healthcare.datasets.list on the parent Google Cloud project. |
datasets.patch |
healthcare.datasets.update on the requested dataset. |
datasets.setIAMPolicy |
healthcare.datasets.setIamPolicy on the requested dataset. |
DICOM store method | Required permissions |
---|---|
datasets.dicomStores.create |
healthcare.dicomStores.create on the parent dataset. |
datasets.dicomStores.deidentify |
|
datasets.dicomStores.delete |
healthcare.dicomStores.delete on the requested DICOM store. |
datasets.dicomStores.export |
|
datasets.dicomStores.get |
healthcare.dicomStores.get on the requested DICOM store. |
datasets.dicomStores.getIamPolicy |
healthcare.dicomStores.getIamPolicy on the requested DICOM store. |
datasets.dicomStores.import |
|
datasets.dicomStores.list |
healthcare.dicomStores.list on the parent dataset. |
datasets.dicomStores.patch |
healthcare.dicomStores.update on the requested DICOM store. |
datasets.dicomStores.searchForInstances |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.searchForSeries |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.searchForStudies |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.setIamPolicy |
healthcare.dicomStores.setIamPolicy on the requested DICOM store. |
datasets.dicomStores.storeInstances |
healthcare.dicomStores.dicomWebWrite on the requested DICOM store. |
datasets.dicomStores.studies.delete |
healthcare.dicomStores.dicomWebDelete on the requested DICOM store. |
datasets.dicomStores.studies.retrieveMetadata |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.retrieveStudy |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.searchForInstances |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.searchForSeries |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.storeInstances |
healthcare.dicomStores.dicomWebWrite on the requested DICOM store. |
datasets.dicomStores.studies.series.delete |
healthcare.dicomStores.dicomWebDelete on the requested DICOM store. |
datasets.dicomStores.studies.series.retrieveMetadata |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.retrieveSeries |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.searchForInstances |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.instances.delete |
healthcare.dicomStores.dicomWebDelete on the requested DICOM store. |
datasets.dicomStores.studies.series.instances.retrieveInstance |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.instances.retrieveMetadata |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.instances.retrieveRendered |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.instances.frames.retrieveFrames |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
datasets.dicomStores.studies.series.instances.frames.retrieveRendered |
healthcare.dicomStores.dicomWebRead on the requested DICOM store. |
FHIR store method | Required permissions |
---|---|
datasets.fhirStores.create |
healthcare.fhirStores.create on the parent dataset. |
datasets.fhirStores.deidentify |
|
datasets.fhirStores.delete |
healthcare.fhirStores.delete on the requested FHIR store. |
datasets.fhirStores.export |
|
datasets.fhirStores.get |
healthcare.fhirStores.get on the requested FHIR store. |
datasets.fhirStores.getIamPolicy |
healthcare.fhirStores.getIamPolicy on the requested FHIR store. |
datasets.fhirStores.import |
|
datasets.fhirStores.list |
healthcare.fhirStores.list on the parent dataset. |
datasets.fhirStores.patch |
healthcare.fhirStores.update on the requested FHIR store. |
datasets.fhirStores.setIamPolicy |
healthcare.fhirStores.setIamPolicy on the requested FHIR store. |
datasets.fhirStores.fhir.Observation-lastn |
|
datasets.fhirStores.fhir.Patient-everything |
healthcare.fhirResources.get on each resource returned. |
datasets.fhirStores.fhir.Resource-purge |
healthcare.fhirResources.purge on the requested FHIR store resource. |
datasets.fhirStores.fhir.capabilities |
healthcare.fhirStores.get on the requested FHIR store. |
datasets.fhirStores.fhir.conditionalDelete |
|
datasets.fhirStores.fhir.conditionalPatch |
|
datasets.fhirStores.fhir.conditionalUpdate |
|
datasets.fhirStores.fhir.create |
|
datasets.fhirStores.fhir.delete |
healthcare.fhirResources.delete on the requested FHIR store resource. |
datasets.fhirStores.fhir.executeBundle |
healthcare.fhirStores.get on the requested FHIR store, and additional permissions (such as healthcare.fhirResources.create and healthcare.fhirResources.update ) corresponding to individual operations within the bundle. If the API caller has healthcare.fhirResources.create permissions but not healthcare.fhirResources.update permissions, the caller can only execute bundles containing healthcare.fhirResources.create operations. |
datasets.fhirStores.fhir.history |
healthcare.fhirResources.get on the requested FHIR store resource and each of its versions. |
datasets.fhirStores.fhir.patch |
healthcare.fhirResources.patch on the requested FHIR store resource. |
datasets.fhirStores.fhir.read |
healthcare.fhirResources.get on the requested FHIR store resource. |
datasets.fhirStores.fhir.search |
|
datasets.fhirStores.fhir.update |
healthcare.fhirResources.update on the requested FHIR store resource. |
datasets.fhirStores.fhir.vread |
healthcare.fhirResources.get on the requested FHIR store resource version. |
datasets.fhirStores.securityLabels.getIamPolicy (v1alpha2 only) |
|
datasets.fhirStores.securityLabels.setIamPolicy (v1alpha2 only) |
|
HL7v2 store method | Required permissions |
---|---|
datasets.hl7V2Stores.create |
healthcare.hl7V2Stores.create on the parent dataset. |
datasets.hl7V2Stores.delete |
healthcare.hl7V2Stores.delete on the requested HL7v2 store. |
datasets.hl7V2Stores.get |
healthcare.hl7V2Stores.get on the requested HL7v2 store. |
datasets.hl7V2Stores.list |
healthcare.hl7V2Stores.list on the parent dataset. |
datasets.hl7V2Stores.patch |
healthcare.hl7V2Stores.update on the requested HL7v2 store. |
datasets.hl7V2Stores.getIamPolicy |
healthcare.hl7V2Stores.getIamPolicy on the requested HL7v2 store. |
datasets.hl7V2Stores.setIamPolicy |
healthcare.hl7V2Stores.setIamPolicy on the requested HL7v2 store. |
datasets.hl7V2Stores.messages.create |
healthcare.hl7V2Messages.create on the parent HL7v2 store. |
datasets.hl7V2Stores.messages.delete |
healthcare.hl7V2Messages.delete on the requested HL7v2 store message. |
datasets.hl7V2Stores.messages.get |
healthcare.hl7V2Messages.get on the requested HL7v2 store message. |
datasets.hl7V2Stores.messages.ingest |
healthcare.hl7V2Messages.ingest on the requested HL7v2 store message. |
datasets.hl7V2Stores.messages.list |
healthcare.hl7V2Messages.list on the parent HL7v2 store. |
datasets.hl7V2Stores.messages.patch |
healthcare.hl7V2Messages.update on the requested HL7v2 store message. |
Operation method | Required permission |
---|---|
datasets.operations.get |
healthcare.operations.get on the requested operation. |
Roles
The following table lists the Cloud Healthcare API Cloud IAM roles, including the permissions associated with each role:
Datasets role | Permissions |
---|---|
roles/healthcare.datasetViewer |
|
roles/healthcare.datasetAdmin |
All roles/healthcare.datasetViewer permissions, and:
|
DICOM store role | Permissions |
---|---|
roles/healthcare.dicomStoreViewer |
All roles/healthcare.datasetViewer permissions, and:
|
roles/healthcare.dicomStoreAdmin |
All roles/healthcare.dicomStoreViewer permissions, and:
|
roles/healthcare.dicomViewer |
All roles/healthcare.dicomStoreViewer permissions, and:
|
roles/healthcare.dicomEditor |
All roles/healthcare.dicomViewer permissions, and:
|
FHIR store role | Permissions |
---|---|
roles/healthcare.fhirStoreViewer |
All roles/healthcare.datasetViewer permissions, and:
|
roles/healthcare.fhirStoreAdmin |
All roles/healthcare.fhirStoreViewer permissions, and:
|
roles/healthcare.fhirSecurityLabelAdmin (v1alpha2 only) |
|
roles/healthcare.fhirResourceReader |
All roles/healthcare.fhirStoreViewer permissions, and:
|
roles/healthcare.fhirResourceEditor |
All roles/healthcare.fhirResourceReader permissions, and:
|
HL7v2 store role | Permissions |
---|---|
roles/healthcare.hl7V2StoreViewer |
All roles/healthcare.datasetViewer permissions, and:
|
roles/healthcare.hl7V2StoreAdmin |
All roles/healthcare.hl7V2StoreViewer permissions, and:
|
roles/healthcare.hl7V2Ingest |
All roles/healthcare.hl7V2StoreViewer permissions, and:
|
roles/healthcare.hl7V2Consumer |
All roles/healthcare.hl7V2StoreViewer permissions, and:
|
roles/healthcare.hl7V2Editor |
All roles/healthcare.hl7V2StoreViewer permissions, and:
|
Note that the roles roles/owner
, roles/editor
, and roles/viewer
include
permissions for other Google Cloud Platform services as well. For more
information about roles, see Understanding roles.