Workspace & Organization Routing Rules

Concept

Your organization can create multiple Workspaces in Oten KMS — each acting as an isolated container for a set of encryption keys (CMKs). Organization Routing Rules automatically direct incoming Google CSE requests to the correct Workspace based on the request context.

This is ideal when your company has multiple departments or Google Workspace organizations that each need their own set of encryption keys.

How It Works

When a user in Google Workspace performs an encryption operation (e.g., creating an encrypted Google Doc, starting an encrypted Google Meet, or adding an encrypted Calendar event), Google sends a request to your Oten KMS KACLS endpoint. The Organization Routing Rules evaluate the request and route it to the appropriate Workspace.

Each routing rule is composed of conditions that match against the incoming request. The available condition types are:

• Application: Which Google Workspace app is making the request — Google Drive, Google Meet, or Google Calendar.

• User email: The email address of the user performing the action.

• Request time: When the request is made (e.g., business hours only).

A rule can combine up to 10 conditions. When a request matches all conditions in a rule, it is routed to the designated Workspace. If no specific rule matches, the request falls back to the Workspace Default Rule.

Sequence Diagram — Routing a Google Drive CSE Request:

Advantages

• Clear separation: Complete isolation of keys between departments, teams, or environments (dev/staging/prod).

• Aligned with company structure: Workspaces map directly to departments, business units, or Google Workspace organizations.

• Easy auditing: Track and report key usage per Workspace — simplifying compliance audits.

• Delegated management: Workspace administrators can manage their own keys and access policies independently.

When To Use This

• Your company has multiple departments (Finance, Legal, HR) that need separate sets of encryption keys.

• You need strict separation between environments (development vs. production keys).

• You want to delegate key management to individual team leads or department admins.

• You want different Google Workspace apps (Drive, Meet, Calendar) to use keys from different Workspaces.

Example: Separating Departments

Scenario: Acme Corp (@acme.com) has two departments, each using Google CSE for different purposes:

• Finance Department (Alice, Charlie) — encrypts financial reports in Google Sheets and meeting recordings in Google Meet.

• Legal Department (Bob, Diana) — encrypts contracts in Google Docs and case discussions in Google Calendar.

Setup in Oten KMS:

1. Create two Workspaces:

   • Finance-Prod — contains CMKs for Finance team's encrypted data.

   • Legal-Prod — contains CMKs for Legal team's encrypted data.

   • 
   • 
2. Create Organization Routing Rules:

   • Access the Organization Admin Dashboard in your personal avatar menu

   

   • Access Routing Rules → Add rule

   

   • Rule 1 (Finance): User email = alice@acme.com OR charlie@acme.com → route to Finance-Prod.

   

   • Rule 2 (Legal): User email = bob@acme.com OR diana@acme.com → route to Legal-Prod.

1. Set a Workspace Default Rule as fallback for any unmatched requests.

Result:

• Alice (alice@acme.com) creates an encrypted Google Sheet → matched by Rule 1 → routes to Finance-Prod → uses Finance's CMK.

• Bob (bob@acme.com) creates an encrypted Google Doc → matched by Rule 2 → routes to Legal-Prod → uses Legal's CMK.

• Finance users cannot access Legal's keys, and vice versa.