# Open private files

Source: https://docs.settlemint.com/docs/user-guides/user-management/open-private-files
Understand who can open DALP private file links for KYC, organisation, and administrator documents.



Private file links let authenticated DALP users open stored documents without making those documents public. DALP checks the active session, the file category, and the file owner before serving KYC, organisation, or administrator files.

A private file link is an access-controlled route, not a shareable public URL. A link alone is not enough: if the signed-in user does not match the file's access rule, DALP denies the request instead of returning the file.

## Before you start [#before-you-start]

You need:

* an active DALP session
* a private file link generated by a DALP workflow
* the user, organisation, or administrator access that matches the file category

Do not forward private file links as a substitute for granting access. Recipients still need the required DALP session and permission.

## Where private links appear [#where-private-links-appear]

Private file links appear inside DALP workflows that already know which user, organisation, or administrator record owns the file. Typical examples include participant KYC evidence, organisation evidence, and administrator-only support material.

Open the file from the workflow that shows it. Do not copy the route into unrelated pages, bookmarks, or external systems as if it were a public evidence link.

## Access rules [#access-rules]

| File category           | Who can open it                                            | What DALP checks before serving it                   |
| ----------------------- | ---------------------------------------------------------- | ---------------------------------------------------- |
| KYC documents           | The user the document belongs to, or an administrator      | Signed-in user identity or administrator role        |
| Organisation documents  | A member of the matching organisation, or an administrator | Active organisation membership or administrator role |
| Administrator documents | Administrators only                                        | Administrator role                                   |

DALP rejects unknown private file categories by default. It also rejects paths that contain traversal segments so a link cannot escape the intended storage key.

## What happens when you open a private file [#what-happens-when-you-open-a-private-file]

1. Open the file from the DALP workflow that references it.
2. DALP checks that you are signed in.
3. DALP checks whether your user, organisation, or administrator role matches the file category.
4. If access is allowed, DALP reads the stored object and returns it with the file's content type.
5. DALP serves the file with headers that tell the browser not to cache the private response.
6. If access is denied or the file is missing, DALP returns an error instead of the file.

Private files are served with no-cache headers. Treat downloaded copies according to your organisation's evidence-handling and retention process.

## Error outcomes [#error-outcomes]

| Outcome             | What DALP observed                                                      | What to do                                                                      |
| ------------------- | ----------------------------------------------------------------------- | ------------------------------------------------------------------------------- |
| Unauthorized        | No signed-in user was available for the request.                        | Sign in again, then reopen the file from the DALP workflow.                     |
| Forbidden           | The signed-in user does not have access to that file category or owner. | Ask an administrator to confirm your role, organisation, or document ownership. |
| File not found      | The stored object could not be found.                                   | Reopen the source workflow and confirm the file reference is still current.     |
| Storage unavailable | The object storage service could not be reached.                        | Retry later or follow your organisation's support process.                      |

## Security notes [#security-notes]

* Private file access is checked on every request.
* KYC documents are scoped to the matching user unless an administrator opens them.
* Organisation documents are scoped to the active organisation unless an administrator opens them.
* Administrator documents stay administrator-only.
* The private file response does not make the underlying object public.

## Related guides [#related-guides]

* [Provide KYC data](/docs/user-guides/user-management/provide-kyc-data) for participant document upload and submission.
* [Manage KYC data](/docs/user-guides/compliance/manage-kyc-data) for Identity Manager review, approval, rejection, and update requests.
* [Account security](/docs/user-guides/user-management/account-security) for session and account controls that protect private file access.