Complete snippets — All code snippets are complete and runnable, showing the full workflow from setup to permission management.
Creating a Tenant
Creating a Tenant
Creating a Dataset
Creating a Dataset
Datasets are the core data containers. Create a dataset with automatic permissions for the creator:
Granting Read Permission
Granting Read Permission
Grant specific permissions to principals. Give read access to a user:
Granting Multiple Permissions
Granting Multiple Permissions
Each call grants exactly one permission name, so write a separate call per permission. Give comprehensive access:The four valid
permission_name values are "read", "write", "delete", and "share". Passing any other value raises PermissionNotFoundError.Owner Full Access + Read-Only Collaborator
Owner Full Access + Read-Only Collaborator
The most common pattern: the creator gets full control, a teammate gets read-only access.To upgrade the collaborator to read + write later, grant Use
create_authorized_dataset automatically grants the creator all four permissions (read, write, delete, share) on the new dataset — no extra calls are needed for the owner. To share with another user, call give_permission_on_dataset once per permission you want to grant."write" as a separate call — it does not replace the existing "read" grant:revoke_permission_on_dataset to remove a specific permission later.Repeated Grants and Idempotency
Repeated Grants and Idempotency
give_permission_on_dataset is insert-only and idempotent. Calling it again with the same (principal, dataset_id, permission_name) does not create a duplicate ACL row, does not bump updated_at, and does not raise — the existing row is left as-is.user2 already has read and you want them to have write instead, you must explicitly revoke read and grant write. See the revoke_permission_on_dataset function in ACL.Checking User Permissions
Checking User Permissions
Query what datasets a user can access. Check permissions by type:
Complete Permission Setup
Complete Permission Setup
Set up a complete permission scenario from scratch. This example shows the full workflow:
Permission Inheritance Example
Permission Inheritance Example
Demonstrate how permissions flow through the hierarchy. Show tenant and role inheritance:
Multi-tenant Organization Setup
Multi-tenant Organization Setup
Create organization with multiple teams:
Temporary Access Management
Temporary Access Management
Grant temporary access to external contractor:
Cross-team Collaboration
Cross-team Collaboration
Allow teams to collaborate on shared datasets:
Best Practices
Best Practices
Follow these best practices for permission management:
- Start simple — Begin with basic user and dataset creation
- Use roles for teams — Create roles for different job functions
- Grant tenant permissions — Use tenant-level permissions for organization-wide access
- Regular audits — Periodically review and update permissions
- Document access patterns — Keep clear records of who has access to what
- Test permission changes — Verify permissions work as expected after changes
Setup Configuration
Learn how to configure the permission system
API Reference
Explore permission system API endpoints