Disable Cloud Logging for the Cloud Healthcare API

Overview

This guide explains how to set a constraint (constraints/gcp.disableCloudLogging) that disables Cloud Logging for the Cloud Healthcare API at the level of an organization, a project, or a folder. The constraint does not affect Cloud Audit Logs. Logs that are generated before the constraint takes effect are not deleted and can be accessed after the constraint takes effect.

Disabling Cloud Logging for the Cloud Healthcare API

To disable Cloud Logging for the Cloud Healthcare API, you must have the Organization Administrator (roles/resourcemanager.organizationAdmin) role. This role can only be granted at the Organization level. You must have the Organization Policy Administrator (roles/orgpolicy.policyAdminrole) to set or change organization policies.

Console

To disable Cloud Logging for the Cloud Healthcare API:

  1. Sign in to the Google Cloud console as a Google Workspace or Cloud Identity super administrator and go to the Organization policies page:

    Go to Organization policies

  2. Click Select, and then select the project, folder, or organization for which you want to view organization policies. The Organization policies page displays a filterable list of organization policy constraints that are available.

  3. In the list of policies that appears, select Disable Cloud Logging for Cloud Healthcare API. The Disable Cloud Logging for Cloud Healthcare API policy uses the constraints/gcp.disableCloudLogging ID. The Policy details page that appears describes the constraint and provides information about how the constraint is applied.

  4. To update the organization policy, click Manage policy.

  5. On the Edit policy page, select Override parent's policy.

  6. Click Add a rule.

  7. Under Enforcement, select an enforcement option:

    • To enable the constraint and disable Cloud Logging for the Cloud Healthcare API, select On.
    • To disable the constraint and enable Cloud Logging for the Cloud Healthcare API, select Off.
  8. To enforce the policy, click Set policy.

gcloud

  1. Get the current policy on the organization resource using the describe command:

    gcloud beta resource-manager org-policies describe \
      constraints/gcp.disableCloudLogging --organization ORGANIZATION_ID
    

    Where ORGANIZATION_ID is the unique identifier for the organization resource. You can also apply the organization policy to a folder or a project with the --folder or the --project flags, and the folder ID and project ID, respectively.

    Because a policy isn't set, an incomplete policy is returned, like the following example:

    booleanPolicy: {}
    constraint: "constraints/gcp.disableCloudLogging"
    
  2. Set the policy to enforce on the organization using the enable-enforce command:

    gcloud beta resource-manager org-policies enable-enforce \
      constraints/gcp.disableCloudLogging --organization ORGANIZATION_ID
    

    After running the command, the following output displays:

    booleanPolicy:
      enforced: true
    constraint: constraints/gcp.disableCloudLogging
    etag: BwVJitxdiwY=
    
  3. View the current effective policy using describe --effective:

    gcloud beta resource-manager org-policies describe \
      constraints/gcp.disableCloudLogging --effective \
      --organization ORGANIZATION_ID
    

    After running the command, the following output displays:

    booleanPolicy:
      enforced: true
    constraint: constraints/gcp.disableCloudLogging
    

What's next

See Using constraints for more information on creating an organization policy with a particular constraint.