Access control

Overview

The Cloud Healthcare API uses Cloud Identity and Access Management (Cloud IAM) for access control.

In the Cloud Healthcare API, access control can be configured at the project, dataset, or data store level. Access control can also be configured for FHIR store security labels (v1alpha2 only). For example, you can grant access to all datasets within a project to a group of developers. To learn how to set up and use Cloud IAM with the Cloud Healthcare API, see Controlling access and Controlling access to other products.

For a detailed description of IAM and its features, see the Cloud IAM documentation. In particular, see the section on managing Cloud IAM policies.

Every Cloud Healthcare API method requires the caller to have the necessary permissions. See Permissions and Roles for more information.

Permissions

This section summarizes the Cloud Healthcare API permissions that Cloud IAM supports.

Required permissions

The following tables list the IAM permissions that are associated with the Cloud Healthcare API. Note that method names are shortened in the table; each method's full name begins with projects.locations.

Datasets method Required permissions
datasets.create healthcare.datasets.create on the parent GCP project.
datasets.deidentify
  • healthcare.datasets.deid on the source dataset.
  • healthcare.datasets.create on the GCP project containing the destination dataset.
datasets.delete healthcare.datasets.delete on the requested dataset.
datasets.get healthcare.datasets.get on the requested dataset.
datasets.getIamPolicy healthcare.datasets.getIamPolicy on the requested dataset.
datasets.list healthcare.datasets.list on the parent GCP project.
datasets.patch healthcare.datasets.update on the requested dataset.
datasets.setIAMPolicy healthcare.datasets.setIamPolicy on the requested dataset.
DICOM store method Required permissions
datasets.dicomStores.create healthcare.dicomStores.create on the parent dataset.
datasets.dicomStores.delete healthcare.dicomStores.delete on the requested DICOM store.
datasets.dicomStores.export
  • healthcare.dicomStores.export on the requested DICOM store.
  • When exporting to Cloud Storage: roles/storage.objectAdmin granted to the project's Cloud Healthcare Service Agent service account. See Exporting data to Cloud Storage for instructions.
  • When exporting to BigQuery: roles/bigquery.dataEditor and roles/bigquery.jobUser granted to the project's Cloud Healthcare Service Agent service account. See DICOM store BigQuery permissions for instructions.
datasets.dicomStores.get healthcare.dicomStores.get on the requested DICOM store.
datasets.dicomStores.getIamPolicy healthcare.dicomStores.getIamPolicy on the requested DICOM store.
datasets.dicomStores.import
  • healthcare.dicomStores.import on the requested DICOM store.
  • roles/storage.objectViewer granted to the project's Cloud Healthcare Service Agent service account. See Importing data from Cloud Storage for instructions.
datasets.dicomStores.list healthcare.dicomStores.list on the parent dataset.
datasets.dicomStores.patch healthcare.dicomStores.update on the requested DICOM store.
datasets.dicomStores.searchForInstances healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.searchForSeries healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.searchForStudies healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.setIamPolicy healthcare.dicomStores.setIamPolicy on the requested DICOM store.
datasets.dicomStores.storeInstances healthcare.dicomStores.dicomWebWrite on the requested DICOM store.
datasets.dicomStores.studies.delete healthcare.dicomStores.dicomWebDelete on the requested DICOM store.
datasets.dicomStores.studies.retrieveMetadata healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.retrieveStudy healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.searchForInstances healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.searchForSeries healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.storeInstances healthcare.dicomStores.dicomWebWrite on the requested DICOM store.
datasets.dicomStores.studies.series.delete healthcare.dicomStores.dicomWebDelete on the requested DICOM store.
datasets.dicomStores.studies.series.retrieveMetadata healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.retrieveSeries healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.searchForInstances healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.instances.delete healthcare.dicomStores.dicomWebDelete on the requested DICOM store.
datasets.dicomStores.studies.series.instances.retrieveInstance healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.instances.retrieveMetadata healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.instances.retrieveRendered healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.instances.frames.retrieveFrames healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.instances.frames.retrieveRendered healthcare.dicomStores.dicomWebRead on the requested DICOM store.
FHIR store method Required permissions
datasets.fhirStores.create healthcare.fhirStores.create on the parent dataset.
datasets.fhirStores.delete healthcare.fhirStores.delete on the requested FHIR store.
datasets.fhirStores.export
  • healthcare.fhirStores.export on the requested FHIR store.
  • When exporting to Cloud Storage: roles/storage.objectCreator granted to the project's Cloud Healthcare Service Agent service account. See Exporting FHIR resources to Cloud Storage for instructions.
  • When exporting to BigQuery: roles/bigquery.dataEditor and roles/bigquery.jobUser granted to the project's Cloud Healthcare Service Agent service account. See FHIR store BigQuery permissions for instructions.
datasets.fhirStores.get healthcare.fhirStores.get on the requested FHIR store.
datasets.fhirStores.getIamPolicy healthcare.fhirStores.getIamPolicy on the requested FHIR store.
datasets.fhirStores.import
  • healthcare.fhirStores.import on the requested FHIR store.
  • roles/storage.objectViewer granted to the project's Cloud Healthcare Service Agent service account. See Importing FHIR resources from Cloud Storage for instructions.
datasets.fhirStores.list healthcare.fhirStores.list on the parent dataset.
datasets.fhirStores.patch healthcare.fhirStores.update on the requested FHIR store.
datasets.fhirStores.setIamPolicy healthcare.fhirStores.setIamPolicy on the requested FHIR store.
datasets.fhirStores.fhir.Observation-lastn
  • healthcare.fhirStores.searchResources on the parent FHIR store.
  • healthcare.fhirResources.get on each Observation returned.
datasets.fhirStores.fhir.Patient-everything healthcare.fhirResources.get on each resource returned.
datasets.fhirStores.fhir.Resource-purge healthcare.fhirResources.purge on the requested FHIR store resource.
datasets.fhirStores.fhir.capabilities healthcare.fhirStores.get on the requested FHIR store.
datasets.fhirStores.fhir.conditionalDelete
  • healthcare.fhirStores.searchResources on the parent FHIR store.
  • healthcare.fhirResources.delete on the requested FHIR store resource.
datasets.fhirStores.fhir.conditionalPatch
  • healthcare.fhirStores.searchResources on the parent FHIR store.
  • healthcare.fhirResources.patch on the requested FHIR store resource.
datasets.fhirStores.fhir.conditionalUpdate
  • healthcare.fhirStores.searchResources on the parent FHIR store.
  • healthcare.fhirResources.update on the requested FHIR store resource.
datasets.fhirStores.fhir.create
  • For conditional create interactions: healthcare.fhirResources.create and healthcare.fhirStores.searchResources on the parent FHIR store.
  • For create interactions: healthcare.fhirResources.create on the parent FHIR store.
datasets.fhirStores.fhir.delete healthcare.fhirResources.delete on the requested FHIR store resource.
datasets.fhirStores.fhir.executeBundle healthcare.fhirStores.get on the requested FHIR store, and additional permissions (such as healthcare.fhirResources.create and healthcare.fhirResources.update) corresponding to individual operations within the bundle. If the API caller has healthcare.fhirResources.create permissions but not healthcare.fhirResources.update permissions, the caller can only execute bundles containing healthcare.fhirResources.create operations.
datasets.fhirStores.fhir.history healthcare.fhirResources.get on the requested FHIR store resource and each of its versions.
datasets.fhirStores.fhir.patch healthcare.fhirResources.patch on the requested FHIR store resource.
datasets.fhirStores.fhir.read healthcare.fhirResources.get on the requested FHIR store resource.
datasets.fhirStores.fhir.search
  • healthcare.fhirStores.searchResources on the parent FHIR store.
  • healthcare.fhirResources.get on each resource returned.
datasets.fhirStores.fhir.update healthcare.fhirResources.update on the requested FHIR store resource.
datasets.fhirStores.fhir.vread healthcare.fhirResources.get on the requested FHIR store resource version.
datasets.fhirStores.securityLabels.getIamPolicy (v1alpha2 only)
  • healthcare.fhirStores.getIamPolicy on the requested FHIR store.
  • healthcare.fhirSecurityLabels.getIamPolicy on the requested security label.
datasets.fhirStores.securityLabels.setIamPolicy (v1alpha2 only)
  • healthcare.fhirSecurityLabels.setIamPolicy on the requested FHIR store.
  • healthcare.fhirSecurityLabels.setIamPolicy on the requested security label.
HL7v2 store method Required permissions
datasets.hl7V2Stores.create healthcare.hl7V2Stores.create on the parent dataset.
datasets.hl7V2Stores.delete healthcare.hl7V2Stores.delete on the requested HL7v2 store.
datasets.hl7V2Stores.get healthcare.hl7V2Stores.get on the requested HL7v2 store.
datasets.hl7V2Stores.list healthcare.hl7V2Stores.list on the parent dataset.
datasets.hl7V2Stores.patch healthcare.hl7V2Stores.update on the requested HL7v2 store.
datasets.hl7V2Stores.getIamPolicy healthcare.hl7V2Stores.getIamPolicy on the requested HL7v2 store.
datasets.hl7V2Stores.setIamPolicy healthcare.hl7V2Stores.setIamPolicy on the requested HL7v2 store.
datasets.hl7V2Stores.messages.create healthcare.hl7V2Messages.create on the parent HL7v2 store.
datasets.hl7V2Stores.messages.delete healthcare.hl7V2Messages.delete on the requested HL7v2 store message.
datasets.hl7V2Stores.messages.get healthcare.hl7V2Messages.get on the requested HL7v2 store message.
datasets.hl7V2Stores.messages.ingest healthcare.hl7V2Messages.ingest on the requested HL7v2 store message.
datasets.hl7V2Stores.messages.list healthcare.hl7V2Messages.list on the parent HL7v2 store.
datasets.hl7V2Stores.messages.patch healthcare.hl7V2Messages.update on the requested HL7v2 store message.
Operation method Required permission
datasets.operations.get healthcare.operations.get on the requested operation.

Roles

The following table lists the Cloud Healthcare API Cloud IAM roles, including the permissions associated with each role:

Datasets role Permissions
roles/healthcare.datasetViewer
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.operations.get
roles/healthcare.datasetAdmin All roles/healthcare.datasetViewer permissions, and:
  • healthcare.datasets.create
  • healthcare.datasets.delete
  • healthcare.datasets.update
  • healthcare.datasets.getIamPolicy
  • healthcare.datasets.setIamPolicy
  • healthcare.datasets.deidentify
  • healthcare.operations.list
DICOM store role Permissions
roles/healthcare.dicomStoreViewer All roles/healthcare.datasetViewer permissions, and:
  • healthcare.dicomStores.get
  • healthcare.dicomStores.list
roles/healthcare.dicomStoreAdmin All roles/healthcare.dicomStoreViewer permissions, and:
  • healthcare.dicomStores.create
  • healthcare.dicomStores.delete
  • healthcare.dicomStores.dicomWebDelete
  • healthcare.dicomStores.getIamPolicy
  • healthcare.dicomStores.setIamPolicy
  • healthcare.dicomStores.update
  • healthcare.operations.cancel
roles/healthcare.dicomViewer All roles/healthcare.dicomStoreViewer permissions, and:
  • healthcare.dicomStores.export
  • healthcare.dicomStores.dicomWebRead
roles/healthcare.dicomEditor All roles/healthcare.dicomViewer permissions, and:
  • healthcare.dicomStores.import
  • healthcare.dicomStores.dicomWebWrite
  • healthcare.operations.cancel
FHIR store role Permissions
roles/healthcare.fhirStoreViewer All roles/healthcare.datasetViewer permissions, and:
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
roles/healthcare.fhirStoreAdmin All roles/healthcare.fhirStoreViewer permissions, and:
  • healthcare.fhirStores.create
  • healthcare.fhirStores.delete
  • healthcare.fhirStores.update
  • healthcare.fhirStores.import
  • healthcare.fhirStores.export
  • healthcare.fhirResources.purge
  • healthcare.fhirStores.getIamPolicy
  • healthcare.fhirStores.setIamPolicy
  • healthcare.operations.cancel
roles/healthcare.fhirSecurityLabelAdmin (v1alpha2 only)
  • healthcare.fhirSecurityLabels.getIamPolicy
  • healthcare.fhirSecurityLabels.setIamPolicy
roles/healthcare.fhirResourceReader All roles/healthcare.fhirStoreViewer permissions, and:
  • healthcare.fhirResources.get
  • healthcare.fhirResources.search
  • healthcare.fhirStores.searchResources
roles/healthcare.fhirResourceEditor All roles/healthcare.fhirResourceReader permissions, and:
  • healthcare.fhirResources.create
  • healthcare.fhirResources.delete
  • healthcare.fhirResources.patch
  • healthcare.fhirResources.update
HL7v2 store role Permissions
roles/healthcare.hl7V2StoreViewer All roles/healthcare.datasetViewer permissions, and:
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
roles/healthcare.hl7V2StoreAdmin All roles/healthcare.hl7V2StoreViewer permissions, and:
  • healthcare.hl7V2Stores.create
  • healthcare.hl7V2Stores.update
  • healthcare.hl7V2Stores.delete
  • healthcare.hl7V2Stores.getIamPolicy
  • healthcare.hl7V2Stores.setIamPolicy
  • healthcare.operations.cancel
roles/healthcare.hl7V2Ingest All roles/healthcare.hl7V2StoreViewer permissions, and:
  • healthcare.hl7V2messages.ingest
roles/healthcare.hl7V2Consumer All roles/healthcare.hl7V2StoreViewer permissions, and:
  • healthcare.hl7V2messages.get
  • healthcare.hl7V2messages.list
  • healthcare.hl7V2messages.create
  • healthcare.hl7V2messages.update
roles/healthcare.hl7V2Editor All roles/healthcare.hl7V2StoreViewer permissions, and:
  • healthcare.hl7V2messages.get
  • healthcare.hl7V2messages.list
  • healthcare.hl7V2messages.delete
  • healthcare.hl7V2messages.update
  • healthcare.hl7V2messages.create
  • healthcare.hl7V2Messages.ingest
  • healthcare.operations.cancel

Note that the roles roles/owner, roles/editor, and roles/viewer include permissions for other Google Cloud Platform services as well. For more information about roles, see Understanding roles.

Was this page helpful? Let us know how we did:

Send feedback about...

This page
Documentation feedback
Cloud Healthcare API
Product feedback