> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/kms-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/kms-support/user-guide/publish-your-docs-2/controlling-key-access-in-your-organization/best-practices.md).

# Best Practices

### Getting Started <a href="#id-6.-getting-started" id="id-6.-getting-started"></a>

#### Step 1: Plan Your Workspace Structure <a href="#step-1-plan-your-workspace-structure" id="step-1-plan-your-workspace-structure"></a>

Decide how to organize your Workspaces based on your company structure:

| **Company Structure**          | **Suggested Workspace Setup**                                   |
| ------------------------------ | --------------------------------------------------------------- |
| Single department using CSE    | 1 Workspace (e.g., `Company-Prod`)                              |
| Multiple departments           | 1 Workspace per department (e.g., `Finance-Prod`, `Legal-Prod`) |
| Separate dev/prod environments | 2 Workspaces per dept (e.g., `Finance-Dev`, `Finance-Prod`)     |

#### Step 2: Create Keys and Set Default <a href="#step-2-create-keys-and-set-default" id="step-2-create-keys-and-set-default"></a>

1. In each Workspace, create a **Customer Master Key (CMK)** for Google CSE.
2. Go to **Google CSE Configuration** and set a **Default Key** for the Workspace.

#### Step 3: Configure Google CSE <a href="#step-3-configure-google-cse" id="step-3-configure-google-cse"></a>

* Detail Google CSE Configuration -> <https://docs.oten.com/kms-support/google-cse-integration/cse-integration-guideline>

#### Step 4: Set Up Routing Rules (if using multiple Workspaces) <a href="#step-4-set-up-routing-rules-if-using-multiple-workspaces" id="step-4-set-up-routing-rules-if-using-multiple-workspaces"></a>

1. Go to **Organization Admin → Routing Rules** in Oten KMS.
2. Create rules using conditions — match on **Application** (Drive, Meet, Calendar), **User email**, and optionally **Request time** — to route requests to the correct Workspace.
3. Set a **Workspace Default Rule** as fallback for unmatched requests.

#### Step 5: Configure CSE Key Selection Rules (if needed) <a href="#step-5-configure-cse-key-selection-rules-if-needed" id="step-5-configure-cse-key-selection-rules-if-needed"></a>

1. In each Workspace, go to **Google CSE → CSE Key Rules**.
2. Create rules to assign specific keys to specific users or applications — using conditions like **User email** and **Application**.
3. Ensure a **Default Key** is set in the Workspace's Google CSE Configuration as fallback.

#### Step 6: Test and Monitor <a href="#step-6-test-and-monitor" id="step-6-test-and-monitor"></a>

* Test with different user accounts to verify that authorized users can encrypt/decrypt and unauthorized users are blocked.
* Test across all Google CSE apps: Drive, Meet, and Calendar.
* Review **Audit Logs** in Oten KMS to confirm that requests are being routed and authorized correctly.

***

### Best Practices <a href="#id-7.-best-practices" id="id-7.-best-practices"></a>

* **Use both layers**: Combine Organization Routing Rules + CSE Key Selection Rules for precise control over both workspace routing and key assignment.
* **Set Default Rules and Keys**: Always configure a Workspace Default Rule and a Default Key so that no request goes unhandled.
* **Enable key rotation**: Set up automatic key rotation policies to reduce risk if a key is compromised.
* **Separate environments**: Never use production keys in development or testing. Use separate Workspaces.
* **Review rules regularly**: Periodically audit your Routing Rules and Key Selection Rules — update them when employees change roles, departments, or leave the organization.
* **Monitor Audit Logs**: Regularly check Oten KMS's Audit Logs for unexpected access patterns, which could indicate misconfiguration or unauthorized access attempts.
