Workspace Routing Rules

Objective

Establish a rule-based key routing mechanism for Google Workspace that automatically determines which workspace key is used to encrypt files, based on predefined conditions such as file name, user, or application.

This ensures that data is consistently encrypted with the correct key according to organizational policies, without relying on user decisions.

Function Purpose

Centralized Encryption Governance

Allow Organization Admins to define routing rules that control how files are encrypted across shared workspaces and individual user workspaces.

Automatic Key Selection

Ensure encryption key selection is fully automated based on rule priority and matching conditions, eliminating manual intervention and reducing misconfiguration risks.

Data Segregation by Design

Support isolation of:

  • Project-level data into project-specific workspaces

  • Personal or sensitive drafts into Individual Workspaces while maintaining enforceable access boundaries.

Current MVP Limitation

Priority-Based Single-Match Engine

  • Rules are evaluated strictly by priority order (ascending).

  • The first matching Active rule is applied.

  • Archived rules are skipped but retain their priority number for audit consistency.

Workspace-Level Routing Scope

  • Routing is applied at the workspace level, not per key.

  • Per-rule key override inside the same workspace is not supported in MVP.

Fallback-First Safety Model

  • If a rule target cannot be applied at runtime, the system falls back to:

    • The next valid rule, or

    • The Org Default Workspace

  • This ensures encryption never fails silently.

Setup Impact

Immediate Enforcement

  • Once a routing rule is created and active, all subsequent Google Workspace encryption operations are evaluated against the rule engine.

  • Applies regardless of who creates the file.

No User Awareness Required

  • End users are not exposed to routing logic or workspace selection.

  • All decisions are enforced at the Oten KMS layer.

Audit-First Operation

  • Rule creation, edits, deactivation, and runtime fallback events are recorded for audit and compliance purposes.

PreviousScreenshotsNextDashboard

Last updated