This page describes how to configure consent policies using attributes.
Attribute definitions are resources in a consent store that determine the consent attributes that the Consent Management API processes and the permitted values for the attributes. Each attribute definition has one of the following attribute types:
- A
RESOURCE
attribute is an attribute whose value is defined by the properties of the data. For example, whether the data is de-identified or identifiable. - A
REQUEST
attribute is an attribute whose value is defined by the proposed use of the data. For example, the groups that are consented for use, such as internal researchers, external researchers, or clinical administrators.
Attribute definitions also determine how an attribute is evaluated when users' consents have no information pertaining to an attribute.
The following diagram shows the data flow for configuring consent attributes:
To support all the attribute definitions your use case requires, repeat the
process shown in
Creating a RESOURCE
attribute definition
and
Creating a REQUEST
attribute definition.
You can create additional attribute definitions or update attribute definitions without having to rebuild your consent store.
Creating a RESOURCE
attribute definition
To create a RESOURCE
attribute definition, use the
projects.locations.datasets.consentStores.attributeDefinitions.create
method. Make a POST
request and specify the following information in the
request:
- The name of the parent consent store
- A name for the attribute definition that's unique in the parent consent store. The name can be any lower or upper case letter, numbers, and underscores. It must not be a reserved keyword within the Common Expression Language (CEL).
- The category of the attribute, in this case
RESOURCE
- The possible values that this attribute can represent
- An access token
curl
The following sample shows a POST
request using curl
that creates a
RESOURCE
attribute named data_identifiable
with values identifiable
and
de-identified
:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Content-Type: application/consent+json; charset=utf-8" \ --data "{ 'description': 'whether the data is identifiable', 'category': 'RESOURCE', 'allowed_values': [ 'identifiable', 'de-identified' ], }" \ "https://healthcare.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/attributeDefinitions?attribute_definition_id=data_identifiable"
If the request is successful, the server returns a response similar to the following sample in JSON format:
{ "name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/attributeDefinitions/data_identifiable", "description": "whether the data is identifiable", "category": "RESOURCE", "allowedValues": [ "identifiable", "de-identified" ] }
PowerShell
The following sample shows a POST
request using Windows PowerShell that
creates a RESOURCE
attribute named data_identifiable
with values
identifiable
and de-identified
:
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method Post ` -Headers $headers ` -ContentType: "application/consent+json; charset=utf-8" ` -Body "{ 'description': 'whether the data is identifiable', 'category': 'RESOURCE', 'allowed_values': [ 'identifiable', 'de-identified' ] }" ` -Uri "https://healthcare.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/attributeDefinitions?attribute_definition_id=data_identifiable" | Select-Object -Expand Content
If the request is successful, the server returns a response similar to the following sample in JSON format:
{ "name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/attributeDefinitions/data_identifiable", "description": "whether the data is identifiable", "category": "RESOURCE", "allowedValues": [ "identifiable", "de-identified" ] }
Creating a REQUEST
attribute definition
To create a REQUEST
attribute definition, use the
projects.locations.datasets.consentStores.attributeDefinitions.create
method. Make a POST
request and specify the following information in the
request:
- The name of the parent consent store
- A name for the attribute definition that's unique in the parent consent store. The name can be any Unicode string of 1 to 256 characters consisting of numbers, letters, underscores, dashes, and periods but it can't start with a number
- The category of the attribute, in this case
REQUEST
- The possible values that this attribute can represent
- An access token
curl
The following sample shows a POST
request using curl
that creates a
REQUEST
attribute named requester_identity
:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Content-Type: application/consent+json; charset=utf-8" \ --data "{ 'description': 'what groups are consented for access', 'category': 'REQUEST', 'allowed_values': ['internal-researcher', 'external-researcher', 'clinical-admin'], }" \ "https://healthcare.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/attributeDefinitions?attribute_definition_id=requester_identity"
If the request is successful, the server returns a response similar to the following sample in JSON format:
{ "name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/attributeDefinitions/requester_identity", "description": "what groups are consented for access", "category": "REQUEST", "allowedValues": [ "internal-researcher", "external-researcher", "clinical-admin" ] }
PowerShell
The following sample shows a POST
request using Windows PowerShell that
creates a REQUEST
attribute named requester_identity
:
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method Post ` -Headers $headers ` -ContentType: "application/consent+json; charset=utf-8" ` -Body "{ 'description': 'what groups are consented for access', 'category': 'REQUEST', 'allowed_values': ['internal-researcher', 'external-researcher', 'clinical-admin'] }" ` -Uri "https://healthcare.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/attributeDefinitions?attribute_definition_id=requester_identity" | Select-Object -Expand Content
If the request is successful, the server returns a response similar to the following sample in JSON format:
{ "name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID/attributeDefinitions/requester_identity", "description": "what groups are consented for access", "category": "REQUEST", "allowedValues": [ "internal-researcher", "external-researcher", "clinical-admin" ] }