Disable Cloud Logging for the Cloud Healthcare API

Overview

This guide explains how to set a constraint ( constraints/gcp.disableCloudLogging ) that disables Cloud Logging for the Cloud Healthcare API at the level of an organization, a project, or a folder. The constraint does not affect Cloud Audit Logs. Logs that are generated before the constraint takes effect are not deleted and can be accessed after the constraint takes effect.

Disabling Cloud Logging for the Cloud Healthcare API

To disable Cloud Logging for the Cloud Healthcare API, you must have the Organization Administrator ( roles/resourcemanager.organizationAdmin ) role. This role can only be granted at the Organization level. You must have the Organization Policy Administrator( roles/orgpolicy.policyAdminrole ) to set or change organization policies.

Console

To disable Cloud Logging for the Cloud Healthcare API:

Sign in to the Google Cloud console as a Google Workspace or Cloud Identity super administrator and go to the Organization policiespage:

Go to Organization policies
Click Select, and then select the project, folder, or organization for which you want to view organization policies. The Organization policiespage displays a filterable list of organization policy constraints that are available.
In the list of policies that appears, select Disable Cloud Logging for Cloud Healthcare API. The Disable Cloud Logging for Cloud Healthcare APIpolicy uses the constraints/gcp.disableCloudLogging ID. The Policy detailspage that appears describes the constraint and provides information about how the constraint is applied.
To update the organization policy, click Manage policy.
On the Edit policypage, select Override parent's policy.
Click Add a rule.
Under Enforcement, select an enforcement option:
- To enable the constraint and disable Cloud Logging for the Cloud Healthcare API, select On.
- To disable the constraint and enable Cloud Logging for the Cloud Healthcare API, select Off.
To enforce the policy, click Set policy.

gcloud

Get the current policy on the organization resource using the describe command:
```
 gcloud  
org-policies  
describe  
gcp.disableCloudLogging  
 \ 
  
--organization = 
 ORGANIZATION_ID 
 
```
Replace the ORGANIZATION_ID : with the unique identifier for the organization resource. You can also apply the organization policy to a folder or a project with the --folder or the --project flags, and the folder ID and project ID , respectively.

Because a policy isn't set, this returns a NOT_FOUND error:
```
 ERROR:  
 ( 
gcloud.org-policies.describe ) 
  
NOT_FOUND:  
Requested  
entity  
was  
not  
found. 
```

Set the policy on the organization using the set-policy command.

Create a temporary file /tmp/policy.yaml to store the policy:

  name 
 : 
  
 organizations/ ORGANIZATION_ID 
/policies/gcp.disableCloudLogging 
 spec 
 : 
  
 rules 
 : 
  
 - 
  
 enforce 
 : 
  
 true

Run the set-policy command:

 gcloud  
org-policies  
set-policy  
/tmp/policy.yaml

View the current effective policy using the describe --effective command:

 gcloud  
org-policies  
describe  
 \ 
  
gcp.disableCloudLogging  
--effective  
 \ 
  
--organization = 
 ORGANIZATION_ID

After running the command, the following output displays:

  name 
 : 
  
 organizations/ ORGANIZATION_ID 
/policies/gcp.disableCloudLogging 
 spec 
 : 
  
 rules 
 : 
  
 - 
  
 enforce 
 : 
  
 true

What's next

See Using constraints for more information on creating an organization policy with a particular constraint.