Securely sharing confidential data over a distributed ledger with a fully decentralized and efficient access-control mechanism is a non-trivial challenge to solve. Current blockchain systems either do not support such a functionality or fall back to semi-centralized solutions that provide storage and access control for sensitive data off-chain. In this work we present CALYPSO, the first fully-decentralized, auditable access-control framework for secure blockchain-based data-sharing which builds upon two abstractions. First, on-chain secrets enable collective management of (verifiably shared) secrets under a Byzantine adversary where an access-control blockchain enforces user-specific access rules and a secret-management cothority administrates encrypted data. Second, skipchain-based identity and access management enables efficient administration of dynamic, sovereign identities and access policies and, in particular, permits clients to maintain long-term relationships with respect to evolving user identities thanks to the trust-delegating forward links of skipchains. The evaluation of our CALYPSO implementation shows that the latency for processing read and write requests scales linearly with the number of secret-management trustees and is in the range of 0.2 to 8 seconds for 16 to 128 trustees. Lastly, three specific deployments of CALYPSO illustrate its feasibility and applicability to data-sharing problems faced by real-world organizations.