We have gotten a report of an “access_denied_insufficient_permissions” error when our connector is trying to fetch users via the “https://api.box.com/2.0/users” endpoint. The authentication works as expected. These are the permissions setup in the app:
- Manage users
- Manage enterprise properties
They are reporting that they are using Box for education. As far as I can tell Box for education is either Enterprise or Enterprise Plus at a discounted price, and not a separate product. Or are there any API limitations for education plan customers and this is expected behavior?
Hi @BenSnow ,
I don’t think there is any distinction between those, and the error doesn’t seem to be related with API limits.
Can you tell us more about the application authentication type and how is it authenticating?
It’s authenticating with OAuth2 with this endpoint: https://www.box.com/api/oauth2/token
This is how the connector is configured: Configuration of Box
I take it there shouldn’t in general be a limitation for fetching data via the API when a “Box for Education” customer.
I’m aware it’s not ideal for me to be posting here when I don’t have access to the actual environment in question There could be any number of things going on here.
Thank you for your time
No worries @BenSnow
A few common pointers here to help diagnose:
- A developer token always points to the security context of the user who created it.
- An OAuth token is always associated with the managed user that authorized the application
- A CCG or JWT can be used to authenticate a user, but typically they authenticate a service account
- Depending on the configurations the above may be able to impersonate a user
- To list the enterprise users, not only the app must be set to Manage users, but also if using the managed user it must be a admin or co-admin. If using a service user then the applicaiton configuration is sufficient.
Hope this helps.