Restrict permission scope of app by directory

Hello,

I am looking to create a Python script that can read from and write to Box. I followed the Box Dev instructions and created an App, so that I can use the generated Client ID and Client Secret to authenticate with JWT.

Am I able to restrict the scope of the Client ID and Client Secret to certain directories? I would like my app to have read/write access for a subset of Box directories, and to be restricted from read/write permissions to all others.

Thanks,

Alex

Hi @alex_resolver , welcome to the forum!

Yes it will, and it is the default behaviour.

Despite that in the application configurations you have check boxes to read and write all files (you will need those most likely) the permissions of the files and folder still stand.

The JWT app (or the CCG) has it’s own service account user, and like any other user, access to a file or folder has to be explicitly granted.

This means that if you want your app to access a certain folder, not created by your app, then the folder must be explicitly shared with the service account.

Let me add that both CCG and JWT apps can also impersonate users if they are configured to do so.

Let us know if this helps

Thanks @rbarbosa , very helpful! How do I share the folder with the service account? I only see an option to invite new “People”, via email. I also don’t see any options in the Box Developer console for this.

Hi Alex,

First identify the service account user. You can do this by hitting the /users/me endpoint where the access token has been obtained for the CCG/JWT credentials.

For example for my CCG app:

curl --location 'https://api.box.com/2.0/users/me?fields=id%2Ctype%2Cname%2Clogin' \
--header 'Authorization: Bearer Ml...R3' \

Results in:

{
    "type": "user",
    "id": "20706451735",
    "name": "CCG",
    "login": "AutomationUser_1803368_9rbDFPFJSf@boxdevedition.com"
}

With the above login I can “collaborate” the service account to any file or folder.
For example in my Box account:

Now I can make sure the service account can access the folder. I’ll do that by listing the folder contents:

curl --location 'https://api.box.com/2.0/folders/253757099719/items' \
--header 'Authorization: Bearer Ml...R3' \

Resulting in:

{
    "total_count": 6,
    "entries": [
        {
            "type": "file",
            "id": "1490613967042",
            "file_version": {
                "type": "file_version",
                "id": "1636358467042",
                "sha1": "50c1c13b9d8510f82d323d81146189604595ea44"
            },
            "sequence_id": "0",
            "etag": "0",
            "sha1": "50c1c13b9d8510f82d323d81146189604595ea44",
            "name": "CR-USA238.pdf"
        },
        {
            "type": "file",
            "id": "1490671696477",
            "file_version": {
                "type": "file_version",
                "id": "1636423446877",
                "sha1": "79321dca22c8b8cd01a02efabb9fea80a9546e83"
            },
            "sequence_id": "0",
            "etag": "0",
            "sha1": "79321dca22c8b8cd01a02efabb9fea80a9546e83",
            "name": "Simple-DOC (1) Signing Log.pdf"
        },
        {
            "type": "file",
            "id": "1490661695888",
            "file_version": {
                "type": "file_version",
                "id": "1636422829593",
                "sha1": "3f272f3ce8c9ad1ee4641528837cdf669fa86114"
            },
            "sequence_id": "1",
            "etag": "1",
            "sha1": "3f272f3ce8c9ad1ee4641528837cdf669fa86114",
            "name": "Simple-DOC (1).pdf"
        },
        {
            "type": "file",
            "id": "1490675258325",
            "file_version": {
                "type": "file_version",
                "id": "1636426552725",
                "sha1": "9121c7b8c768708a8961c5746736241912de2f25"
            },
            "sequence_id": "0",
            "etag": "0",
            "sha1": "9121c7b8c768708a8961c5746736241912de2f25",
            "name": "Simple-DOC (2).pdf"
        },
        {
            "type": "file",
            "id": "1490651087357",
            "file_version": {
                "type": "file_version",
                "id": "1636399652957",
                "sha1": "6ed3745b21a9b2e90ad8ed90d0666bcd9258bc28"
            },
            "sequence_id": "0",
            "etag": "0",
            "sha1": "6ed3745b21a9b2e90ad8ed90d0666bcd9258bc28",
            "name": "Simple-DOC Signing Log.pdf"
        },
        {
            "type": "file",
            "id": "1490646361591",
            "file_version": {
                "type": "file_version",
                "id": "1636390655886",
                "sha1": "16fa13ffbd241fb1d047add868fa79382e367086"
            },
            "sequence_id": "1",
            "etag": "1",
            "sha1": "16fa13ffbd241fb1d047add868fa79382e367086",
            "name": "Simple-DOC.pdf"
        }
    ],
    "offset": 0,
    "limit": 100,
    "order": [
        {
            "by": "type",
            "direction": "ASC"
        },
        {
            "by": "name",
            "direction": "ASC"
        }
    ]
}

Let us know if this helps

Best regards