发送反馈
使用 IAM 进行访问权限控制
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
概览
Cloud Healthcare API 使用身份和访问权限管理 (IAM) 进行访问权限控制。
在 Cloud Healthcare API 中,可以在项目、数据集或数据存储层级配置访问权限控制。例如,您可以向一组开发者授予对项目中所有数据集的访问权限。如需了解如何通过 Cloud Healthcare API 设置和使用 IAM,请参阅控制访问权限 和控制对其他产品的访问权限 。
如需详细了解 IAM 及其功能,请参阅 IAM 文档 。尤其应参阅管理 IAM 政策 部分。
Cloud Healthcare API 的每种方法都要求调用方拥有必要的权限。如需了解详情,请参阅权限 和角色 。
权限
下表列出了与 Cloud Healthcare API 关联的 IAM 权限。表中会显示简短的方法名称;每种方法的全名都以 projects.locations. 开头。
许可存储区方法
许可存储区方法
所需权限
datasets.consentStores.checkDataAccess请求的许可存储区的 healthcare.consentStores.checkDataAccess 权限。
datasets.consentStores.create父数据集上的 healthcare.consentStores.create 权限。
datasets.consentStores.delete请求的许可存储区的 healthcare.consentStores.delete 权限。
datasets.consentStores.evaluateUserConsents请求的许可存储区的 healthcare.consentStores.evaluateUserConsents 权限。
datasets.consentStores.get请求的许可存储区的 healthcare.consentStores.get 权限。
datasets.consentStores.getIamPolicy请求的许可存储区的 healthcare.consentStores.getIamPolicy 权限。
datasets.consentStores.list父数据集上的 healthcare.consentStores.list 权限。
datasets.consentStores.patch请求的许可存储区的 healthcare.consentStores.update 权限。
datasets.consentStores.queryAccessibleData请求的许可存储区的 healthcare.consentStores.queryAccessibleData 权限。
datasets.consentStores.setIamPolicy请求的许可存储区的 healthcare.consentStores.setIamPolicy 权限。
datasets.consentStores.attributeDefinitions.create父许可存储区的 healthcare.attributeDefinitions.create 权限。
datasets.consentStores.attributeDefinitions.delete请求的特性定义资源的 healthcare.attributeDefinitions.delete 权限。
datasets.consentStores.attributeDefinitions.get请求的特性定义资源的 healthcare.attributeDefinitions.get 权限。
datasets.consentStores.attributeDefinitions.list父许可存储区的 healthcare.attributeDefinitions.list 权限。
datasets.consentStores.attributeDefinitions.patch请求的特性定义资源的 healthcare.attributeDefinitions.update 权限。
datasets.consentStores.consentArtifacts.create父许可存储区的 healthcare.consentArtifacts.create 权限。
datasets.consentStores.consentArtifacts.delete请求的许可工件资源的 healthcare.consentArtifacts.delete 权限。
datasets.consentStores.consentArtifacts.get请求的许可工件资源的 healthcare.consentArtifacts.get 权限。
datasets.consentStores.consentArtifacts.list父许可存储区的 healthcare.consentArtifacts.list 权限。
datasets.consentStores.consents.create父许可存储区的 healthcare.consents.create 权限。
datasets.consentStores.consents.delete请求的许可资源的 healthcare.consents.delete 权限。
datasets.consentStores.consents.get请求的许可资源的 healthcare.consents.get 权限。
datasets.consentStores.consents.list父许可存储区的 healthcare.consents.list 权限。
datasets.consentStores.consents.patch请求的许可资源的 healthcare.consents.update 权限。
datasets.consentStores.consents.revoke请求的许可资源的 healthcare.consents.revoke 权限。
datasets.consentStores.userDataMappings.archive请求的用户数据映射资源的 healthcare.userDataMappings.archive 权限。
datasets.consentStores.userDataMappings.create父许可存储区的 healthcare.userDataMappings.create 权限。
datasets.consentStores.userDataMappings.delete请求的用户数据映射资源的 healthcare.userDataMappings.delete 权限。
datasets.consentStores.userDataMappings.get请求的用户数据映射资源的 healthcare.userDataMappings.get 权限。
datasets.consentStores.userDataMappings.list父许可存储区的 healthcare.userDataMappings.list 权限。
datasets.consentStores.userDataMappings.patch请求的用户数据映射资源的 healthcare.userDataMappings.update 权限。
数据集方法
数据集方法
所需权限
datasets.create父级 Google Cloud 项目上的 healthcare.datasets.create 权限。
datasets.deidentify源数据集上的 healthcare.datasets.deidentify 权限。 包含目标数据集的 Google Cloud 项目上的 healthcare.datasets.create 权限。
datasets.delete请求数据集上的 healthcare.datasets.delete 权限。
datasets.get请求数据集上的 healthcare.datasets.get 权限。
datasets.getIamPolicy请求数据集上的 healthcare.datasets.getIamPolicy 权限。
datasets.list父级 Google Cloud 项目上的 healthcare.datasets.list 权限。
datasets.patch请求数据集上的 healthcare.datasets.update 权限。
datasets.setIAMPolicy请求数据集上的 healthcare.datasets.setIamPolicy 权限。
DICOM 存储区方法
DICOM 存储方法
所需权限
datasets.dicomStores.create父数据集上的 healthcare.dicomStores.create 权限。
datasets.dicomStores.deidentify源 DICOM 存储区上的 healthcare.dicomStores.deidentify 权限。 目标 DICOM 存储区上的 healthcare.dicomStores.dicomWebWrite 权限。
datasets.dicomStores.delete请求 DICOM 存储区上的 healthcare.dicomStores.delete 权限。
datasets.dicomStores.export请求 DICOM 存储区上的 healthcare.dicomStores.export 权限。 导出到 Cloud Storage 时:将 roles/storage.objectAdmin 授予项目的 Cloud Healthcare Service Agent 服务账号。请参阅将数据导出到 Cloud Storage 查看说明。 导出到 BigQuery 时:将 roles/bigquery.dataEditor 和 roles/bigquery.jobUser 授予项目的 Cloud Healthcare Service Agent 服务账号。请参阅 DICOM 存储 BigQuery 权限 查看说明。
datasets.dicomStores.get请求 DICOM 存储区上的 healthcare.dicomStores.get 权限。
datasets.dicomStores.getIamPolicy请求 DICOM 存储区上的 healthcare.dicomStores.getIamPolicy 权限。
datasets.dicomStores.import请求 DICOM 存储区上的 healthcare.dicomStores.import 权限。 roles/storage.objectViewer 授予项目的 Cloud Healthcare Service Agent 服务账号。请参阅从 Cloud Storage 导入数据 查看说明。
datasets.dicomStores.list父数据集上的 healthcare.dicomStores.list 权限。
datasets.dicomStores.patch请求 DICOM 存储区上的 healthcare.dicomStores.update 权限。
datasets.dicomStores.searchForInstances请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.searchForSeries请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.searchForStudies请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.setIamPolicy请求 DICOM 存储区上的 healthcare.dicomStores.setIamPolicy 权限。
datasets.dicomStores.storeInstances请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebWrite 权限。
datasets.dicomStores.studies.delete请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebDelete 权限。
datasets.dicomStores.studies.retrieveMetadata请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.studies.retrieveStudy请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.studies.searchForInstances请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.studies.searchForSeries请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.studies.storeInstances请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebWrite 权限。
datasets.dicomStores.studies.series.delete请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebDelete 权限。
datasets.dicomStores.studies.series.retrieveMetadata请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.studies.series.retrieveSeries请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.studies.series.searchForInstances请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.studies.series.instances.delete请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebDelete 权限。
datasets.dicomStores.studies.series.instances.retrieveInstance请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.studies.series.instances.retrieveMetadata请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.studies.series.instances.retrieveRendered请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.studies.series.instances.frames.retrieveFrames请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.studies.series.instances.frames.retrieveRendered请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
datasets.dicomStores.studies.series.instances.bulkdata.retrieveBulkdata请求 DICOM 存储区上的 healthcare.dicomStores.dicomWebRead 权限。
FHIR 存储区方法
FHIR 存储方法
所需权限
datasets.fhirStores.applyConsents请求 FHIR 存储区资源上的 healthcare.fhirStores.applyConsents 权限。
datasets.fhirStores.applyAdminConsents请求 FHIR 存储区资源上的 healthcare.fhirStores.applyConsents 权限。
datasets.fhirStores.configureSearch请求 FHIR 存储区上的 healthcare.fhirStores.configureSearch 权限。
datasets.fhirStores.create父数据集上的 healthcare.fhirStores.create 权限。
datasets.fhirStores.deidentify源 FHIR 存储区上的 healthcare.fhirStores.deidentify 权限。 目标 FHIR 存储空间上的 healthcare.fhirResources.update 权限。
datasets.fhirStores.delete请求 FHIR 存储区上的 healthcare.fhirStores.delete 权限。
datasets.fhirStores.explainDataAccess请求 FHIR 存储区资源上的 healthcare.fhirStores.explainDataAccess 权限。
datasets.fhirStores.export请求 FHIR 存储区上的 healthcare.fhirStores.export 权限。 导出到 Cloud Storage 时:将 storage.objects.create、storage.objects.delete 和 storage.objects.list 授予项目的 Cloud Healthcare Service Agent 服务账号。请参阅将 FHIR 资源导出到 Cloud Storage 查看说明。 导出到 BigQuery 时:将 roles/bigquery.dataEditor 和 roles/bigquery.jobUser 授予项目的 Cloud Healthcare Service Agent 服务账号。请参阅 FHIR 存储 BigQuery 权限 查看说明。
datasets.fhirStores.get请求 FHIR 存储区上的 healthcare.fhirStores.get 权限。
datasets.fhirStores.getFHIRStoreMetrics请求 FHIR 存储区上的 healthcare.fhirStores.get 权限。
datasets.fhirStores.getIamPolicy请求 FHIR 存储区上的 healthcare.fhirStores.getIamPolicy 权限。
datasets.fhirStores.import请求 FHIR 存储区上的 healthcare.fhirStores.import 权限。 storage.objects.get 和 storage.objects.list 授予项目的 Cloud Healthcare Service Agent 服务账号。请参阅从 Cloud Storage 导入 FHIR 资源 查看说明。
datasets.fhirStores.list父数据集上的 healthcare.fhirStores.list 权限。
datasets.fhirStores.patch请求 FHIR 存储区上的 healthcare.fhirStores.update 权限。
datasets.fhirStores.rollback请求 FHIR 存储区上的 healthcare.fhirStores.rollback 权限。
datasets.fhirStores.setIamPolicy请求 FHIR 存储区上的 healthcare.fhirStores.setIamPolicy 权限。
datasets.fhirStores.fhir.Encounter-everything每个返回资源上的 healthcare.fhirResources.get 权限。
datasets.fhirStores.fhir.Observation-lastn父 FHIR 存储区上的 healthcare.fhirStores.searchResources 权限。
datasets.fhirStores.fhir.Patient-everything每个返回资源上的 healthcare.fhirResources.get 权限。
datasets.fhirStores.fhir.Resource-purge请求 FHIR 存储区资源上的 healthcare.fhirResources.purge 权限。
datasets.fhirStores.fhir.capabilities请求 FHIR 存储区上的 healthcare.fhirStores.get 权限。
datasets.fhirStores.fhir.conditionalDelete父 FHIR 存储区上的 healthcare.fhirStores.searchResources 权限。 请求 FHIR 存储区资源上的 healthcare.fhirResources.delete 权限。
datasets.fhirStores.fhir.conditionalPatch父 FHIR 存储区上的 healthcare.fhirStores.searchResources 权限。 请求 FHIR 存储区资源上的 healthcare.fhirResources.patch 权限。
datasets.fhirStores.fhir.conditionalUpdate父 FHIR 存储区上的 healthcare.fhirStores.searchResources 权限。 请求 FHIR 存储区资源上的 healthcare.fhirResources.update 权限。
datasets.fhirStores.fhir.create对于条件创建互动:在父 FHIR 存储区中创建 healthcare.fhirResources.create 和 healthcare.fhirStores.searchResources。 对于创建交互:在父 FHIR 存储区上使用 healthcare.fhirResources.create。
datasets.fhirStores.fhir.delete请求 FHIR 存储区资源上的 healthcare.fhirResources.delete 权限。
datasets.fhirStores.fhir.executeBundle请求 FHIR 存储区上的 healthcare.fhirResources.executeBundle 权限,以及与软件包中的各个操作对应的额外权限(例如 healthcare.fhirResources.create 和 healthcare.fhirResources.update)。如果 API 调用程序具有 healthcare.fhirResources.create 权限,但没有 healthcare.fhirResources.update 权限,则调用程序只能执行包含 healthcare.fhirResources.create 操作的软件包。
datasets.fhirStores.fhir.history请求 FHIR 存储去资源及其每个版本上的 healthcare.fhirResources.get 权限。
datasets.fhirStores.fhir.patch请求 FHIR 存储区资源上的 healthcare.fhirResources.patch 权限。
datasets.fhirStores.fhir.read请求 FHIR 存储区资源上的 healthcare.fhirResources.get 权限。
datasets.fhirStores.fhir.search父 FHIR 存储区上的 healthcare.fhirStores.searchResources 权限。
datasets.fhirStores.fhir.update请求 FHIR 存储区资源上的 healthcare.fhirResources.update 权限。
datasets.fhirStores.fhir.vread请求 FHIR 存储区资源版上的 healthcare.fhirResources.get 权限。
datasets.fhirStores.fhir.Patient-consent-enforcement-status请求 FHIR 存储区患者资源上的 healthcare.fhirResources.get 权限。
datasets.fhirStores.fhir.Consent-enforcement-status请求的 FHIR 存储区许可资源的 healthcare.fhirResources.get 权限。
HL7v2 存储区方法
HL7v2 存储方法
所需权限
datasets.hl7V2Stores.create父数据集上的 healthcare.hl7V2Stores.create 权限。
datasets.hl7V2Stores.delete请求 HL7v2 存储区上的 healthcare.hl7V2Stores.delete 权限。
datasets.hl7V2Stores.export请求 HL7v2 存储区上的 healthcare.hl7V2Stores.export 权限。
datasets.hl7V2Stores.get请求 HL7v2 存储区上的 healthcare.hl7V2Stores.get 权限。
datasets.hl7V2Stores.import请求 HL7v2 存储区上的 healthcare.hl7V2Stores.import 权限。
datasets.hl7V2Stores.list父数据集上的 healthcare.hl7V2Stores.list 权限。
datasets.hl7V2Stores.patch请求 HL7v2 存储区上的 healthcare.hl7V2Stores.update 权限。
datasets.hl7V2Stores.getIamPolicy请求 HL7v2 存储区上的 healthcare.hl7V2Stores.getIamPolicy 权限。
datasets.hl7V2Stores.setIamPolicy请求 HL7v2 存储区上的 healthcare.hl7V2Stores.setIamPolicy 权限。
datasets.hl7V2Stores.messages.create父级 HL7v2 存储区上的 healthcare.hl7V2Messages.create 权限。
datasets.hl7V2Stores.messages.delete请求 HL7v2 存储区消息上的 healthcare.hl7V2Messages.delete 权限。
datasets.hl7V2Stores.messages.get请求 HL7v2 存储区消息上的 healthcare.hl7V2Messages.get 权限。
datasets.hl7V2Stores.messages.ingest请求 HL7v2 存储区消息上的 healthcare.hl7V2Messages.ingest 权限。
datasets.hl7V2Stores.messages.list父级 HL7v2 存储区上的 healthcare.hl7V2Messages.list 权限。
datasets.hl7V2Stores.messages.patch请求 HL7v2 存储区消息上的 healthcare.hl7V2Messages.update 权限。
位置方法
位置方法
所需权限
locations.get针对请求位置的 healthcare.locations.get 权限。
locations.list父级 Google Cloud 项目上的 healthcare.locations.list 权限。
Healthcare Natural Language API 方法
Healthcare Natural Language API 方法
所需权限
nlp.analyzeEntitieshealthcare.nlpservice.analyzeEntities
操作方法
操作方法
所需权限
datasets.operations.get请求数据集上的 healthcare.operations.get 权限。
datasets.operations.list请求数据集上的 healthcare.operations.list 权限。
datasets.operations.cancel请求数据集上的 healthcare.operations.cancel 权限。
去标识化方法
去标识化方法
所需权限
services.deidentify.deidentifyDicomInstancehealthcare.deidentify.run
services.deidentify.deidentifyFhirResourcehealthcare.deidentify.run
角色
下表列出了 Cloud Healthcare API IAM 角色,包括与每个角色关联的权限。 roles/owner、roles/editor 和 roles/viewer 角色包含其他 Google Cloud 服务的权限。如需详细了解角色,请参阅了解角色 。
注意 :在存储级层授予 Viewer 角色(例如 roles/healthcare.dicomViewer)并不会为数据集授予该角色。要查看数据集的长时间运行的操作,您还必须授予数据集查看者角色(例如 roles/healthcare.datasetViewer)或数据集的数据存储查看者角色(例如 roles/healthcare.dicomViewer)。 许可存储区角色
许可存储区角色
权限
Healthcare Consent Store Viewer
(roles/)
可以列出数据集中的许可存储区。
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Store Administrator
(roles/)
可以管理许可存储区。
healthcare.consentStores.*
healthcare.healthcare.healthcare.healthcare.healthcare.consentStores.gethealthcare.healthcare.consentStores.listhealthcare.healthcare.healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
许可角色
许可角色
权限
Healthcare Attribute Definition Reader
(roles/)
可以读取许可存储区中的 AttributeDefinition 对象。
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Attribute Definition Editor
(roles/)
可以修改 AttributeDefinition 对象。
healthcare.
healthcare.healthcare.healthcare.healthcare.healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Reader
(roles/)
可以读取许可存储区中的 ConsentArtifact 对象。
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Editor
(roles/)
可以修改 ConsentArtifact 对象。
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Administrator
(roles/)
可以管理 ConsentArtifact 对象。
healthcare.consentArtifacts.*
healthcare.healthcare.healthcare.healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Reader
(roles/)
可以读取许可存储区中的 Consent 对象。
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.consents.get
healthcare.consents.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Editor
(roles/)
可以修改 Consent 对象。
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.consents.*
healthcare.consents.activatehealthcare.consents.createhealthcare.consents.deletehealthcare.consents.gethealthcare.consents.listhealthcare.consents.rejecthealthcare.consents.revokehealthcare.consents.update
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare User Data Mapping Reader
(roles/)
可以读取许可存储区中的 UserDataMapping 对象。
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
healthcare.
healthcare.
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare User Data Mapping Editor
(roles/)
可以修改 UserDataMapping 对象。
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
healthcare.userDataMappings.*
healthcare.healthcare.healthcare.healthcare.healthcare.healthcare.
resourcemanager.projects.get
resourcemanager.projects.list
数据集角色
数据集角色
权限
Healthcare Dataset Viewer
(roles/)
可以列出项目中的医疗保健数据集。
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Dataset Administrator
(roles/)
可以管理医疗保健数据集。
healthcare.datasets.*
healthcare.datasets.createhealthcare.datasets.deidentifyhealthcare.datasets.deletehealthcare.datasets.gethealthcare.healthcare.datasets.listhealthcare.healthcare.datasets.update
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.*
healthcare.operations.cancelhealthcare.operations.gethealthcare.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
DICOM 存储区角色
DICOM 存储区角色
权限
Healthcare DICOM Store Viewer
(roles/)
可列出数据集中的 DICOM 存储区。
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Store Administrator
(roles/)
可管理 DICOM 存储区。
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.create
healthcare.
healthcare.dicomStores.delete
healthcare.
healthcare.dicomStores.get
healthcare.
healthcare.dicomStores.list
healthcare.
healthcare.dicomStores.update
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Viewer
(roles/)
可从 DICOM 存储区检索 DICOM 映像。
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Editor
(roles/)
可逐个及批量修改 DICOM 映像。
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.
healthcare.
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.import
healthcare.dicomStores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
FHIR 存储区角色
FHIR 存储区角色
权限
Healthcare FHIR Store Viewer
(roles/)
可列出数据集中的 FHIR 存储区。
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Store Administrator
(roles/)
可以管理 FHIR 资源存储区。
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.purge
healthcare.
healthcare.
healthcare.fhirStores.create
healthcare.
healthcare.fhirStores.delete
healthcare.
healthcare.
healthcare.fhirStores.export
healthcare.fhirStores.get
healthcare.
healthcare.
healthcare.fhirStores.import
healthcare.fhirStores.list
healthcare.fhirStores.rollback
healthcare.
healthcare.fhirStores.update
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Resource Reader
(roles/)
可读取和搜索 FHIR 资源。
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.get
healthcare.
healthcare.
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Resource Editor
(roles/)
可创建、删除、更新、读取和搜索 FHIR 资源。
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.
healthcare.fhirResources.get
healthcare.fhirResources.patch
healthcare.
healthcare.
healthcare.
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
HL7v2 存储区角色
HL7v2 存储区角色
权限
Healthcare HL7v2 Store Viewer
(roles/)
可查看数据集中的 HL7v2 存储区。
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Store Administrator
(roles/)
可管理 HL7v2 存储区。
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.*
healthcare.hl7V2Stores.createhealthcare.hl7V2Stores.deletehealthcare.hl7V2Stores.exporthealthcare.hl7V2Stores.gethealthcare.healthcare.hl7V2Stores.importhealthcare.hl7V2Stores.listhealthcare.healthcare.healthcare.hl7V2Stores.update
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Ingest
(roles/)
可提取从来源网络接收到的 HL7v2 消息。
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Consumer
(roles/)
可列出和读取 HL7v2 消息,更新消息标签,以及发布新消息。
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.hl7V2Messages.get
healthcare.hl7V2Messages.list
healthcare.
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Editor
(roles/)
拥有对 HL7v2 消息的读取、写入和删除权限。
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.*
healthcare.healthcare.healthcare.hl7V2Messages.gethealthcare.healthcare.hl7V2Messages.listhealthcare.
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Natural Language API 角色
Healthcare Natural Language API 角色
权限
Healthcare NLP Service Viewer
Beta 版
(roles/)
从给定文字中提取和分析医疗实体。
healthcare.locations.*
healthcare.locations.gethealthcare.locations.list
healthcare.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Healthcare Service Agent
Cloud Healthcare Service Agent 是项目中的一个共享服务账号 ,供 Cloud Healthcare API 用于与Google Cloud中的其他资源进行交互。
例如,此服务代理用于读写 Cloud Storage 存储分区、写入 BigQuery 以及从 Cloud Healthcare API 将消息发布到 Pub/Sub。
如需执行上述任何操作,您必须向 Cloud Healthcare Service Agent 授予对相关 Cloud Storage 存储分区、BigQuery 数据集或 Pub/Sub 主题的访问权限。
为项目创建权限模型时,请记住,授予下列任意角色将允许用户调用作为 Cloud Healthcare Service Agent 运行且有权访问该代理有权访问的任何数据的操作:
roles/healthcare.consentStoreAdminroles/healthcare.consentStoreViewerroles/healthcare.dicomStoreEditorroles/healthcare.dicomStoreViewerroles/healthcare.fhirStoreAdminroles/healthcare.hl7V2StoreAdmin
同样,为自定义角色分配以下权限也将允许用户调用将作为 Cloud Healthcare Service Agent 运行的操作:
healthcare.consentStores.queryAccessibleDatahealthcare.dicomStores.createhealthcare.dicomStores.updatehealthcare.dicomStores.importhealthcare.dicomStores.exporthealthcare.fhirStores.createhealthcare.fhirStores.updatehealthcare.fhirStores.importhealthcare.fhirStores.exporthealthcare.hl7V2Stores.createhealthcare.hl7V2Stores.update
例如:
如果用户具有任何导入权限,而操作会访问 Cloud Healthcare Service Agent 拥有读取访问权限的任何 Cloud Storage 存储分区,那么该用户可运行充当 Cloud Healthcare Service Agent 的这些操作。
如果用户具有任何导出权限,而操作会访问服务代理拥有读取访问权限的任何存储分区,那么该用户可运行充当 Cloud Healthcare Service Agent 的这些操作。
具有创建或更新数据存储区权限的用户可以配置 Cloud Healthcare Service Agent 在数据存储区发生更改时发送的 Pub/Sub 通知目标或 BigQuery 流式传输目标。
最佳做法是,利用多个项目进一步隔离授 予Cloud Healthcare Service Agent 的权限。
发送反馈
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可 获得了许可,并且代码示例已根据 Apache 2.0 许可 获得了许可。有关详情,请参阅 Google 开发者网站政策 。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-08-14。
需要向我们提供更多信息?
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-14。"],[[["\u003cp\u003eThe Cloud Healthcare API uses Identity and Access Management (IAM) to control access at the project, dataset, or data store level, with specific permissions required for each API method.\u003c/p\u003e\n"],["\u003cp\u003eThe API provides methods for various data store types, including Annotation Stores, Consent Stores, Dataset, DICOM Stores, FHIR Stores, and HL7v2 Stores, each with its own set of create, get, list, delete, and update operations.\u003c/p\u003e\n"],["\u003cp\u003eDifferent roles are defined for managing access to healthcare data, such as Annotation Administrator, Consent Store Viewer, DICOM Store Editor, FHIR Resource Reader, and HL7v2 Store Administrator, each with a specific set of permissions.\u003c/p\u003e\n"],["\u003cp\u003eThe Cloud Healthcare Service Agent is a service account with roles and permissions to interact with Google Cloud resources and can access data based on the permissions granted to it.\u003c/p\u003e\n"],["\u003cp\u003eThe system provides access to data from the Healthcare Natural Language API and the de-identification of DICOM and FHIR resources, as well as methods for retrieving location and operation data.\u003c/p\u003e\n"]]],[],null,["# Access control with IAM\n\nOverview\n--------\n\nThe Cloud Healthcare API uses [Identity and Access Management (IAM)](/iam)\nfor access control.\n\nIn the Cloud Healthcare API, access control can be configured at the\nproject, dataset, or data store level. For example, you can grant access to all\ndatasets within a project to a group of developers. To learn how to set up and\nuse IAM with the Cloud Healthcare API, see\n[Controlling access](/healthcare-api/docs/how-tos/controlling-access) and\n[Controlling access to other products](/healthcare-api/docs/how-tos/permissions-healthcare-api-gcp-products).\n\nFor a detailed description of IAM and its features, see the\n[IAM documentation](/iam/docs).\nIn particular, see the section on\n[managing IAM policies](/iam/docs/granting-changing-revoking-access).\n\nEvery Cloud Healthcare API method requires the caller to have the\nnecessary permissions. See [Permissions](#permissions) and [Roles](#roles)\nfor more information.\n\nPermissions\n-----------\n\nThe following tables list the IAM permissions that are associated with the\nCloud Healthcare API. Method names are shortened in the table;\neach method's full name begins with `projects.locations.`.\n\n### Consent store methods\n\n### Dataset methods\n\n### DICOM store methods\n\n### FHIR store methods\n\n### HL7v2 store methods\n\n### Location methods\n\n### Healthcare Natural Language API methods\n\n### Operation methods\n\n### De-identify methods\n\nRoles\n-----\n\nThe following tables list the Cloud Healthcare API IAM\nroles, including the permissions associated with each role. The roles `roles/owner`, `roles/editor`, and `roles/viewer` include\npermissions for other Google Cloud services. For more information\nabout roles, see [Understanding roles](/iam/docs/understanding-roles).\n| **Note:** Granting viewer roles at the store level, such as `roles/healthcare.dicomViewer`, does not also grant the role for the dataset. To view long-running operations for the dataset, you must also grant either the dataset viewer role, such as `roles/healthcare.datasetViewer`, or the data store viewer role, such as `roles/healthcare.dicomViewer`, for the dataset.\n\n### Consent store roles\n\n### Consents roles\n\n### Datasets roles\n\n### DICOM store roles\n\n### FHIR store roles\n\n### HL7v2 store roles\n\n### Healthcare Natural Language API roles\n\nCloud Healthcare Service Agent\n------------------------------\n\nThe **Cloud Healthcare Service Agent** is a shared\n[service account](/iam/docs/service-accounts) in your project that\nCloud Healthcare API uses to interact with other resources in\nGoogle Cloud.\n\nFor example, this service agent is used to read and write to\nCloud Storage buckets, write to BigQuery, and to publish\nmessages to Pub/Sub from the Cloud Healthcare API.\n\nTo execute any of the preceding actions, you must give the **Cloud Healthcare\nService Agent** access to the relevant Cloud Storage bucket,\nBigQuery dataset, or Pub/Sub topic.\n\nAs you create a permission model for your project, remember that granting any of\nthe roles listed below allows the user to invoke operations that run as the\n**Cloud Healthcare Service Agent** and have access to any data that the agent\nhas access to:\n\n- `roles/healthcare.consentStoreAdmin`\n- `roles/healthcare.consentStoreViewer`\n- `roles/healthcare.dicomStoreEditor`\n- `roles/healthcare.dicomStoreViewer`\n- `roles/healthcare.fhirStoreAdmin`\n- `roles/healthcare.hl7V2StoreAdmin`\n\nSimilarly, assigning the following permissions to custom roles would also allow\nthe user to invoke operations that will run as the **Cloud Healthcare Service\nAgent**:\n\n- `healthcare.consentStores.queryAccessibleData`\n- `healthcare.dicomStores.create`\n- `healthcare.dicomStores.update`\n- `healthcare.dicomStores.import`\n- `healthcare.dicomStores.export`\n- `healthcare.fhirStores.create`\n- `healthcare.fhirStores.update`\n- `healthcare.fhirStores.import`\n- `healthcare.fhirStores.export`\n- `healthcare.hl7V2Stores.create`\n- `healthcare.hl7V2Stores.update`\n\nFor example:\n\n- If a user has any import permissions, then the user can run operations that act as the **Cloud Healthcare Service Agent** if those operations access any Cloud Storage buckets that the **Cloud Healthcare Service Agent** has read access to.\n- If a user has any export permissions, then the user can run operations that act as the **Cloud Healthcare Service Agent** if those operations access any bucket that the service agent has write access to.\n- A user who has create or update data store permissions has the ability to configure Pub/Sub notification targets or BigQuery streaming destinations that are sent by the **Cloud\n Healthcare Service Agent** when changes are made to the data store.\n\nAs a best practice, leverage multiple projects to further isolate the\npermissions given to the **Cloud Healthcare Service Agent**."]]
