> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/kms-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/kms-support/user-guide/publish-your-docs-2/controlling-key-access-in-your-organization/combining-both-methods-recommended.md).

# Combining Both Methods (Recommended)

### Combining Both Methods (Recommended) <a href="#id-4.-combining-both-methods-recommended" id="id-4.-combining-both-methods-recommended"></a>

For the strongest security posture, combine both methods. When a Google CSE request arrives, it flows through **two layers** in sequence:

#### How It Works <a href="#how-it-works" id="how-it-works"></a>

1. **Layer 1 — Organization Routing Rules**: Determines which **Workspace** handles the request (based on application, user email, request time).
2. **Layer 2 — CSE Key Selection Rules**: Within that Workspace, determines which **key (CMK)** is used (based on similar conditions, scoped to the workspace).

If no Routing Rule matches → the **Workspace Default Rule** applies. If no Key Selection Rule matches → the **Workspace Default Key** is used.

#### Example: Multi-department with Per-user Key Assignment <a href="#example-multi-department-with-per-user-key-assignment" id="example-multi-department-with-per-user-key-assignment"></a>

**Scenario:** Acme Corp (`@acme.com`) wants:

* Finance and Legal departments to use separate Workspaces.
* Within Finance, the CFO uses a dedicated high-security key, while other Finance staff use the default key.

**Setup:**

* **Routing Rules** (org level):
  * User email = `alice@acme.com` OR `cfo@acme.com` OR `charlie@acme.com` → route to `Finance-Prod` Workspace.
  * User email = `bob@acme.com` OR `diana@acme.com` → route to `Legal-Prod` Workspace.
* **Key Selection Rules** (within `Finance-Prod`):
  * User email = `cfo@acme.com` → use `Finance-Exec-Key`.
  * Default Key: `Finance-General-Key`.

**Sequence Diagram — CFO creating an encrypted Google Sheet:**

<figure><img src="/files/zvaWbZV9GHKJbcHe8lLY" alt=""><figcaption></figcaption></figure>

&#x20;

**Sequence Diagram — Regular Finance employee creating an encrypted Google Sheet (uses default key):**

<figure><img src="/files/UEvJ5UkYxAYTb0wqWklR" alt=""><figcaption></figcaption></figure>

***

### Use Cases by Google Workspace App <a href="#id-5.-use-cases-by-google-workspace-app" id="id-5.-use-cases-by-google-workspace-app"></a>

Here is how the two layers apply to each Google CSE-supported application:

#### Google Drive (Docs, Sheets, Slides) <a href="#google-drive-docs-sheets-slides" id="google-drive-docs-sheets-slides"></a>

<table data-header-hidden><thead><tr><th width="174.96484375"></th><th width="105.1796875"></th><th width="204.60546875"></th><th width="250.48828125"></th></tr></thead><tbody><tr><td><strong>Action</strong></td><td><strong>KACLS Operation</strong></td><td><strong>Layer 1: Routing Rules</strong></td><td><strong>Layer 2: Key Selection Rules</strong></td></tr><tr><td>Create encrypted document</td><td><code>/wrap</code></td><td>Routes to Workspace</td><td>Selects which key encrypts it</td></tr><tr><td>Open encrypted document</td><td><code>/unwrap</code></td><td>Routes to Workspace</td><td>Selects which key decrypts it</td></tr><tr><td>Share encrypted document</td><td>N/A (Google sharing)</td><td>—</td><td>Recipient's access depends on their key rules when they open it</td></tr></tbody></table>

**Common scenario:** An HR manager (`hr-manager@acme.com`) creates an encrypted Google Sheet with salary data. A Routing Rule matches the user's email and routes the request to the `HR-Prod` Workspace. A Key Selection Rule assigns the `HR-Sensitive-Key` for this user. When the CFO opens this file, the same two layers evaluate — routing to the correct workspace and selecting the correct key for decryption.

#### Google Meet <a href="#google-meet" id="google-meet"></a>

<table data-header-hidden><thead><tr><th></th><th width="164.6328125"></th><th width="206.9609375"></th><th width="228.10546875"></th></tr></thead><tbody><tr><td><strong>Action</strong></td><td><strong>KACLS Operation</strong></td><td><p><strong>Layer 1:</strong> </p><p><strong>Routing Rules</strong></p></td><td><p><strong>Layer 2:</strong> </p><p><strong>Key Selection Rules</strong></p></td></tr><tr><td>Start encrypted meeting</td><td><code>/wrap</code></td><td>Routes to Workspace</td><td>Selects which key encrypts the session</td></tr><tr><td>Join encrypted meeting</td><td><code>/unwrap</code></td><td>Routes to Workspace</td><td>Selects which key decrypts the session</td></tr><tr><td>View encrypted recording</td><td><code>/unwrap</code></td><td>Routes to Workspace</td><td>Selects which key decrypts the recording</td></tr></tbody></table>

**Common scenario:** The board of directors holds an encrypted Google Meet. A Routing Rule matches executive emails (`ceo@acme.com`, `cfo@acme.com`) and routes them to `Executive-CSE` Workspace. A Key Selection Rule assigns `Board-Meeting-Key` when Application = Google Meet. Regular employees' requests route to a different workspace or fall back to the default key.

#### Google Calendar <a href="#google-calendar" id="google-calendar"></a>

<table data-header-hidden><thead><tr><th width="183.47265625"></th><th width="153.66015625"></th><th></th><th></th></tr></thead><tbody><tr><td><strong>Action</strong></td><td><strong>KACLS Operation</strong></td><td><p><strong>Layer 1:</strong></p><p><strong>Routing Rules</strong></p></td><td><p><strong>Layer 2:</strong></p><p><strong>Key Selection Rules</strong></p></td></tr><tr><td>Create encrypted event</td><td><code>/wrap</code></td><td>Routes to Workspace</td><td>Selects which key encrypts event details</td></tr><tr><td>View encrypted event details</td><td><code>/unwrap</code></td><td>Routes to Workspace</td><td>Selects which key decrypts event details</td></tr></tbody></table>

**Common scenario:** The Legal team creates encrypted Calendar events for case strategy meetings. A Routing Rule matches Legal team emails (`bob@acme.com`, `diana@acme.com`) and routes them to `Legal-Prod`. A Key Selection Rule assigns `Legal-Calendar-Key` when Application = Google Calendar. Only users whose requests match the same key flow can view the full event details.
