Creating and managing consent stores

This page shows how to create and manage consent stores.

The Consent Management API is a tool for recording user consents, managing actions based on those consents, and maintaining associated documentation and records.

The organization using the Consent Management API is responsible for obtaining and maintaining the required consents necessary to permit the processing of any data through the Consent Management API.

The Consent Management API fulfills the role of a policy decision point. Policy enforcement must be implemented in the application or through a proxy. For more information, see Attribute-based access control.

Set up permissions

To use the features in this guide, you must have the roles/healthcare.consentStoreAdmin role. However, to perform additional useful operations with the Consent Management API, additional permissions might be required. See Access control for more details.

Consent stores are the top-level resources that contain all information related to the configuration and operation of the Consent Management API. Consent stores belong to a Cloud Healthcare API dataset, which is assigned to a region when it is created. This region is the geographic location in which your consent store operates.

Console

To create a consent store in the Cloud Console, complete the following steps:

  1. In the Cloud Console, go to the Datasets page.

    Go to the Datasets page

  2. Select the dataset where you want to create a consent store.

  3. Click Create data store.

  4. Select Consent as the data store type.

  5. In the ID field, enter a name of your choice that's unique in your dataset. If the name is not unique, the store creation fails.

  6. Click Next.

  7. In Configure your Consent Store select one of the following options to determine when consents in your store expire:

    • No default expiration time - by default, consents do not expire.
    • Default expiration time - by default, consents expire after the number of days defined in the Expiration time field.
  8. To allow new consent resources to be created using UPDATE, click Allow consent creation on update.

  9. Click Next.

  10. Click Add label to define optional key and value labels to organize your Google Cloud resources.

  11. Click Create.

API

To create a consent store, use the projects.locations.datasets.consentStores.create method.

The following samples show how to get details about a consent store.

Console

To view a consent store's details:

  1. In the Cloud Console, go to the Datasets page.

    Go to the Datasets page

  2. Select the dataset containing the consent store you want to view.
  3. Click the name of the consent store.

API

To get details about a consent store, use the projects.locations.datasets.consentStores.get method.

The following samples show how to list the consent stores in a dataset.

Console

To view the data stores in a dataset:

  1. In the Cloud Console, go to the Datasets page.

    Go to the Datasets page

  2. Click the ID of the dataset whose data stores you want to view.

API

To list the consent stores in a dataset, use the projects.locations.datasets.consentStores.list method.

After you create a consent store, you can update the default expiry duration and the labels.

The following samples show how to edit a consent store.

Console

To edit a consent store, complete the following steps:

  1. In the Cloud Console, go to the Datasets page.

    Go to the Datasets page

  2. Select the dataset containing the consent store you want to edit.
  3. In the Data stores list, click the data store you want to edit.
  4. To edit the consent store's configuration, click the edit icon next to Consent Store Configuration.

    For more information on the consent store's configuration options, see Creating a consent store.
  5. To add one or more labels to the store, click the edit icon next to Labels, click Add label, and enter the key/value label. For more information on resource labels, see Using resource labels.
  6. If you have added a label, click Save.

API

To edit a consent store, use the projects.locations.datasets.consentStores.patch method.

The following samples show how to delete a consent store.

Console

To delete a data store:

  1. In the Cloud Console, go to the Datasets page.

    Go to the Datasets page

  2. Select the dataset containing the data store you want to delete.
  3. Choose Delete from the Actions drop-down list for the data store that you want to delete.
  4. To confirm, type the data store name and then click Delete.

API

To delete a consent store use the projects.locations.datasets.consentStores.delete method.

Audit logging

The Consent Management API writes the following types of audit logs:

  • Admin Activity: record operations that modify the configuration or metadata of a resource. You can't disable Admin Activity audit logs.
  • Data Access: contain API calls that read the configuration or metadata of resources, as well as external API calls that create, modify, or read customer-provided resource data. These logs must be enabled. For example, Data Access audit logs can be used to log what service made an access determination request, what information was provided in that request, and how the API responded to that request. For more information on Data Access audit logs, see Configuring Data Access audit logs. For more information about audit logging in the Cloud Healthcare API, visit Viewing Cloud Audit Logs.

For more information on audit logs for the Consent Management API, see Viewing Cloud Audit Logs.