When using Client-Side Encryption (CSE) with Virtru Private Keystore (VPK), label permissions in Google Workspace determine who can view, apply, or restrict encryption labels across your organization. Getting these permissions right is critical to ensure users have the access they need without compromising security.
This article explains the different permission levels, their use cases, and best practices for configuring them.
Types of Label Permissions
1. Can view this label
- What it does:
- Users can see and search for the label on files they already have view or comment access to.
- They cannot apply the label themselves.
- Use case:
- When you want employees to be aware of a classification (e.g., “Confidential”) but don’t want them applying or changing it.
- CSE impact:
- Not sufficient for universal access. Users will see the label but won’t be able to apply it to encrypted files.
2. Can apply labels and set values
- What it does:
- Users can apply the label, set label values (if configured), and search for files with this label.
- Works on files they can edit.
- Use case:
- Best for organization-wide access or department-level labels where users need to actively classify and encrypt documents.
- CSE impact:
- This is the recommended setting if you want everyone in your organization to access encrypted content with a general label (e.g.,
classification-general).
- This is the recommended setting if you want everyone in your organization to access encrypted content with a general label (e.g.,
3. Restricted access
- What it does:
- Only the people or groups you explicitly add under Advanced permissions can use the label.
- Everyone else in the organization won’t even see it.
- Use case:
- For highly sensitive classifications (e.g.,
classification-legal-onlyorclassification-executive). - Ensures only specific teams can encrypt/decrypt with these labels.
- For highly sensitive classifications (e.g.,
- CSE impact:
- Ideal for restricted access policies, but not suitable if your goal is universal accessibility.
Best Practices for Virtru CSE
- Create a General Access Label
- Example:
classification-general - Assign it “Can apply labels and set values” at the domain level.
- Ensures all employees can access and re-label existing encrypted files.
- Example:
- Layer in Restricted Labels
- Add department- or sensitivity-based labels (e.g., Finance, HR, Legal).
- Configure them with Restricted access tied to the right Google Groups.
- Avoid Nested Groups
- ⚠️ CSE labels do not support nested groups.
- Add users individually or ensure they belong to a top-level Google Group that matches the label name (
classification-<label-name>).
- Review Regularly
- Update label permissions as your teams change.
- Remove users who no longer need access to sensitive labels.
Quick Reference Table
| Permission Level | Who Can See | Who Can Apply | Who Can Access in CSE | Best For |
|---|---|---|---|---|
| Can view this label | Everyone | ❌ No | Limited | Awareness only |
| Can apply labels and set values | Everyone | ✅ Yes | ✅ Yes | Organization-wide access |
| Restricted access | Only added users/groups | ✅ Yes | ✅ Yes (restricted) | Departmental / sensitive use |
Summary
Label permissions define how encryption is enforced across your organization:
- View = Awareness only.
- Apply = Broad or general access.
- Restricted = Locking access to select groups.
For most Virtru Private Keystore deployments, we recommend starting with a general label set to “Can apply labels and set values”, then adding restricted labels for sensitive departments as your labeling strategy matures.