> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/kms-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/kms-support/user-guide/publish-your-docs-2/controlling-key-access-in-your-organization.md).

# Controlling Key Access in Your Organization

This guide explains how your organization can control **who can access your encryption keys** in Oten  KMS — specifically for **Google Workspace Client-Side Encryption (CSE)**.

With Google CSE, your data in Google Drive (Docs, Sheets, Slides), Google Meet, and Google Calendar is encrypted on the user's device before it reaches Google's servers. Oten KMS acts as your **external Key Access Control List Service (KACLS)**, giving your organization full control over the encryption keys. This means **you decide who can encrypt and decrypt** your organization's sensitive data — not Google.

Oten KMS provides two complementary methods to enforce access control:

1. **Organization Routing Rules** — Control which **Workspace** handles a request, based on the application, user email, or request time.
2. **CSE Key Selection Rules** — Within a Workspace, control which **specific key (CMK)** is used, based on similar conditions scoped to that Workspace.
