Overview
This guide explains how to set a constraint (constraints/gcp.disableCloudLogging
)
that disables
Cloud Logging for the Cloud Healthcare API at the level of an organization,
a project, or a folder.
The constraint does not affect Cloud Audit Logs. Logs that are
generated before the constraint takes effect are not deleted and can
be accessed after the constraint takes effect.
Disabling Cloud Logging for the Cloud Healthcare API
To disable Cloud Logging for the Cloud Healthcare API, you must have the
Organization Administrator (roles/resourcemanager.organizationAdmin
)
role. This role can only be granted
at the Organization level. You must have the Organization Policy Administrator
(roles/orgpolicy.policyAdminrole
) to set or change organization policies.
Console
To disable Cloud Logging for the Cloud Healthcare API:
Sign in to the Google Cloud console as a Google Workspace or Cloud Identity super administrator and go to the Organization policies page:
Click Select, and then select the project, folder, or organization for which you want to view organization policies. The Organization policies page displays a filterable list of organization policy constraints that are available.
In the list of policies that appears, select Disable Cloud Logging for Cloud Healthcare API. The Disable Cloud Logging for Cloud Healthcare API policy uses the
constraints/gcp.disableCloudLogging
ID. The Policy details page that appears describes the constraint and provides information about how the constraint is applied.To update the organization policy, click Manage policy.
On the Edit policy page, select Override parent's policy.
Click Add a rule.
Under Enforcement, select an enforcement option:
- To enable the constraint and disable Cloud Logging for the Cloud Healthcare API, select On.
- To disable the constraint and enable Cloud Logging for the Cloud Healthcare API, select Off.
To enforce the policy, click Set policy.
gcloud
Get the current policy on the organization resource using the
describe
command:gcloud org-policies describe gcp.disableCloudLogging \ --organization=ORGANIZATION_ID
Replace the ORGANIZATION_ID: with the unique identifier for the organization resource. You can also apply the organization policy to a folder or a project with the
--folder
or the--project
flags, and the folder ID and project ID, respectively.Because a policy isn't set, this returns a
NOT_FOUND
error:ERROR: (gcloud.org-policies.describe) NOT_FOUND: Requested entity was not found.
Set the policy on the organization using the
set-policy
command.Create a temporary file
/tmp/policy.yaml
to store the policy:name: organizations/ORGANIZATION_ID/policies/gcp.disableCloudLogging spec: rules: - enforce: true
Run the
set-policy
command:gcloud org-policies set-policy /tmp/policy.yaml
View the current effective policy using the
describe --effective
command:gcloud org-policies describe \ gcp.disableCloudLogging --effective \ --organization=ORGANIZATION_ID
After running the command, the following output displays:
name: organizations/ORGANIZATION_ID/policies/gcp.disableCloudLogging spec: rules: - enforce: true
What's next
See Using constraints for more information on creating an organization policy with a particular constraint.