Share datasets with other users
By default, only the user who uploaded a dataset can decrypt it: the dataset's encryption key sits in the secret store under an ACL that lists the uploader as the sole Owner. To let other users in your organization use the dataset — for example, to provision it to a DCR or download it — you grant them access by adding them to that ACL.
The dataset itself is encrypted once with a single symmetric key. Sharing does not re-encrypt the data; it adds entries to the ACL that governs who can retrieve that key from the secret store. Recipients use the same key the uploader generated.
The ACL must contain at least one Owner and may only list users from your own organization. The two roles are:
- Owner: can use the dataset and modify the ACL.
- User: can use the dataset (provision it to a DCR, download it) but cannot modify the ACL.
Share a dataset at upload time
Pass a SecretStoreOptions ACL to upload_dataset. This is the simplest path when you know up front who should have access:
from decentriq_platform import Key, SecretStoreOptions
key = Key()
secret_store_options = SecretStoreOptions(
encryption_key_acl={
"type": "UsersList",
"users": [
{"id": user_email, "role": "Owner"},
{"id": "colleague@your-org.com", "role": "User"},
],
},
)
with open("local-file.csv", "rb") as data:
manifest_hash = client.upload_dataset(
data,
key,
"shared-data.csv",
secret_store_options=secret_store_options,
)
The recipient then retrieves the encryption key from their own secret store and uses the dataset without ever seeing the original Key object:
import decentriq_platform as dq
colleague_client = dq.create_client("colleague@your-org.com", colleague_api_token)
# Retrieve the shared encryption key
key = colleague_client.get_dataset_key(manifest_hash)
# Use the dataset as the original uploader would, e.g. provision it to a DCR
raw_data_node = dcr.get_node("my-raw-data-node")
raw_data_node.publish_dataset(manifest_hash, key)