Updating a KACLS Endpoint Perimeter
KACLS endpoint perimeters are the policies that allow or disallow the wrap
, unwrap
, and takeout_unwrap
operations. Refer to Access Policies for details.
Updating a perimeter requires understanding of Open Policy Agent.
Use the PATCH /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/perimeters
API to update KACLS endpoint perimeters.
Sample Custom Policies
This section describes various scenarios in which custom policies can be applied.
Allowing Case-Insensitive Email Addresses
Access policies are case-sensitive. If you are using a default policy, and you intend to use case-insensitive checks for email addresses in authentication and authorization tokens, then you can replace the default policy with following custom policy:
Note
If you are using a custom policy, ensure to add lower(input.authentication.email) == lower(input.authorization.email)
to your policy.
Different Primary and Secondary Email Addresses
If you are using a different email address for the identity provider apart from the Google Workspace domain email address, then you can apply the following custom policy. Where:
authentication.google_email
is your Google Workspace domain email address. In this document, this email Id is referred to as the primary email address.authentication.email
is your identity provider email address. In this document, this email Id is referred to as the secondary email address.
Allowing File Encryption/Decryption to a Specific User
If only a user (with the email address user@domain
) should be able to encrypt/decrypt a file, a custom policy similar to the following can be used:
Allowing File Encryption/Decryption to a List of Users
If only specific users (for example, user1
and user2
) should be able to encrypt/decrypt a file, a custom policy similar to the following can be used:
Restricting File Encryption/Decryption to a List of Users of a Domain
If only specific users (for example, user3
and user4
) of a domain should be restricted from encrypting/decrypting a file, a custom policy similar to the following can be used:
Syntax
Request Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the endpoint. To find out the ID of an endpoint, refer to Viewing KACLS Endpoints. |
AUTHTOKEN | string | Authorization token. |
Example Request
Example Response
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
Refer to HTTP status codes for details.