Skip to main content
Question

API As-User or Client token Creating Root parentID 0 folders 403 access denied

  • May 21, 2025
  • 6 replies
  • 90 views
C
Forum|alt.badge.img

Anyone out there that can please point me in the right direction? 

 

Using the API I have been able to successfully create subfolders for all users. I have an App that is authorized in an Enterprise sandbox with Manage All Users access and impersonation. 

 

When attempting to create a subfolder at the root level with a parent id of '0' I get the below error. This seams to happen both when using the As-User parmater as well as generating a client specific token with user claim instead of enterprise. 

 

The strange thing is this only seemed to start happening on new accounts, the first few Admin/Co-Admin users I was able to create root level folders without issue. 

 

 

ERROR:

Invoke-RestMethod : {"type":"error","status":403,"code":"access_denied_insufficient_permissions","help_url":"http:\/\/developers.box.com\/docs\/#errors","message":"Access denied - insufficient
permission"

    6 replies

    C
    Forum|alt.badge.img

    This person had the same issue however the support acticle they reference is no longer valid. There seems to be some sort of setting that prevents the API from creating root level folders of non admin accounts?

     

    https://www.codecademy.com/en/forum_questions/51c32a977c82cabba700c325 

     

    https://support.box.com/entries/23529717-file-and-folder-ids

    C
    Forum|alt.badge.img

    Ok I found the root cause of the issue I am seeing relates to the 'Restrict content creation' which prevents NON Admins from creating top level folders. 

     

    Is there a way to work around this? Even if I do an As-User with an admin users token I am not able to create the root level folders with the API. 

     

     

    C
    Forum|alt.badge.img

    I believe the intention of this feature is that all content in the user's root folder will be collaborated content. So an admin account can create a folder (NOT using As-User, just as themself) and then collaborate managed users into that folder.

     

    C
    Forum|alt.badge.img

    Thanks, that is the work around I will use. It seems the new user provisioning capabilities act in a similiar way. 

     

    The next step will be to remove the Box Admin user so the only collaborator listed is the actual box managed user. 

    C
    Forum|alt.badge.img

    I have been trying to create something similar for several years now, but have been running into the same problem since we also have the "restrict content creation" setting applied.  Have you successfully created this app?  If so, would you be willing to share any of your steps or code to do so?

     

    Thanks!

    C
    Forum|alt.badge.img

    Sorry I don't have code to share.

     

    We use OKTA provisioning and they provided an update that allows the new users root level folder to be created without the adminbox account listed as a collaborator. 

     

    Really its using the same method so if you find a function for inviting/removing a collaborator you can create the folder under the adminbox account and invite the managed user as a collaborator. Then remove adminbox and it will only belong to the user and shows at their root level. 

     

     

    Terms of ServiceAccessibility statement