Access to encryption keys is controlled using Google Workspace perimeters. These are optional additional checks performed on the authentication and authorization tokens within the KACLS.
Access control can be used to:
Only allow users denoted in the permitted list of domains to decrypt keys.
Deny users, for example, customers’ Google Workspace administrators.
Provide advanced restrictions, for example:
Time-based restrictions: Is the employee on call, on vacation, and so on.
Geolocation restrictions: Prevent access from specific locations or networks.
User role/type based access as asserted by the third-party identity providers.
Refer to Sample Custom Policies for different scenarios.