> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/kms-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/kms-support/user-guide/publish-your-docs-1/google-cse/cse-key-selection-rules.md).

# CSE Key Selection Rules

#### Concept <a href="#a.-concept.1" id="a.-concept.1"></a>

Once a request reaches a Workspace (via Routing Rules), the **CSE Key Selection Rules** determine **which specific key (CMK)** is used for that request. This allows you to assign different keys to different users or applications — all within the same Workspace.

This is the layer that determines: *"This user is creating an encrypted Google Doc — which key should encrypt it?"* or *"This user is opening an encrypted file — which key should decrypt it?"*

#### How It Works <a href="#b.-how-it-works.1" id="b.-how-it-works.1"></a>

CSE Key Selection Rules use **conditions** — similar in structure to Organization Routing Rules — but their scope is within a single Workspace. Each rule evaluates conditions against the incoming request and selects the appropriate key.

Available condition types (same as Routing Rules):

* **User email**: Match specific users or email domains to specific keys.
* **Application**: Route Drive, Meet, or Calendar requests to different keys.
* **Request time**: Optionally match based on when the request is made.

When a request matches a rule, the key specified in that rule is used. If no rule matches, the **Workspace Default Key** is used as fallback.

**Sequence Diagram — Key Selection within a Workspace:**&#x20;

<figure><img src="/files/lCfBqjuPJzfNL3Wy7FF4" alt=""><figcaption></figcaption></figure>

#### Advantages <a href="#c.-advantages.1" id="c.-advantages.1"></a>

* **Per-user key isolation**: Different users within the same Workspace can use different keys — executives use one key, regular staff use another.
* **Per-app key separation**: Use one key for Google Drive encryption and a different key for Google Meet, within the same Workspace.
* **Flexible rules**: Combine conditions (user email + application) to create precise key assignments.
* **Default fallback**: A Workspace Default Key ensures all requests are handled even without specific rules.

#### When To Use This <a href="#d.-when-to-use-this.1" id="d.-when-to-use-this.1"></a>

* You want **different users** in the same Workspace to encrypt/decrypt with **different keys** (e.g., executives vs. regular employees).
* You want to use **separate keys per Google app** — one key for Drive documents, another for Meet recordings.
* You need **granular key assignment** without creating additional Workspaces.

#### Example: Assigning Keys by User Role within a Workspace <a href="#e.-example-assigning-keys-by-user-role-within-a-workspace" id="e.-example-assigning-keys-by-user-role-within-a-workspace"></a>

**Scenario:** Acme Corp has a single `Company-Prod` Workspace. They want:

* Executives (`ceo@acme.com`, `cfo@acme.com`) to use a dedicated high-security key for all their encrypted content.
* All other employees to use the default company key.

**Setup in Oten KMS:**

1. In the `Company-Prod` Workspace, create two CMKs:

   * `Executive-Key` — for executive-encrypted content.
   * `Company-Default-Key` — set as the **Workspace Default Key**.

   <figure><img src="/files/DamHDP53VCsy4y0CBbai" alt=""><figcaption></figcaption></figure>
2. Create CSE Key Selection Rules:

   * Access Oten KMS menu `Google CSE` → `CSE Key Rules` → `Create new rule`

   <figure><img src="/files/2F0MPFvI7T8tvXGTIaS2" alt=""><figcaption></figcaption></figure>

   * **Rule 1**: User email = `ceo@acme.com` → use `Executive-Key`.

   <figure><img src="/files/8uCdlqLdWQ9yjrekfdSu" alt=""><figcaption></figcaption></figure>

   * **Rule 2**: User email = `cfo@acme.com` → use `Executive-Key`.

   <figure><img src="/files/pX2gZ2MT7SbSLyrRPHcC" alt=""><figcaption></figcaption></figure>

   * **Set Default Google CSE Key**

     <figure><img src="/files/6zvGwbqw94JniytlinYx" alt=""><figcaption></figcaption></figure>

**Result:**

* `ceo@acme.com` creates an encrypted Google Doc → matched by Rule 1 → encrypted with `Executive-Key`.
* `employee@acme.com` creates an encrypted Google Sheet → no rule matched → encrypted with `Company-Default-Key`.
* `cfo@acme.com` starts an encrypted Google Meet → matched by Rule 2 → encrypted with `Executive-Key`.
*

#### Example: Separating Keys by Google App <a href="#f.-example-separating-keys-by-google-app" id="f.-example-separating-keys-by-google-app"></a>

**Scenario:** The Legal department wants different keys for different types of content:

* Legal documents in Google Drive should use a `Legal-Docs-Key`.
* Confidential calendar events should use a `Legal-Calendar-Key`.

**Setup in Oten KMS:**

1. In the `Legal-Prod` Workspace, create the keys and set a default.
2. Create CSE Key Selection Rules:
   * Access Oten KMS menu `Google CSE` → `CSE Key Rules` → `Create new rule`
   * **Rule 1**: Application = `Google Drive` → use `Legal-Docs-Key`.
   * **Rule 2**: Application = `Google Calendar` → use `Legal-Calendar-Key`.

**Result:**

* A lawyer creates an encrypted contract in Google Docs → matched by Rule 1 → encrypted with `Legal-Docs-Key`.
* A lawyer creates an encrypted Calendar event for a case meeting → matched by Rule 2 → encrypted with `Legal-Calendar-Key`.
* A lawyer starts an encrypted Google Meet → no rule matched → uses the Workspace Default Key.
