I'm using the flex response from DLP to encrypt files from the DLP console. The configuration I have setup encrypts the file to this ACL:
DLP (group key) "Admin"
DLP service account "User"
Everyone (group key) "User"
The DLP group key has an LDAP matched users list that I am included in, and the "Everyone" DLP group key includes all users. My understanding is that anyone in the "admin" level group key can unlock and decrypt a file, and that anyone in the "user" level can unlock the file.
In practice, I can only unlock or decrypt with a private key that I have on my local keyring, in this case the service account or the ADK. My own private key which is on my keyring and is assigned to my matched consumer record in the PGP group will not unlock the file. So clearly the relationship so far is 1:1. If I have a private key on my keyring that is part of the direct ACL, I can unlock the file. Otherwise I cannot.
What am I missing here?