Skip to main content
Question

Restrict application access to a specific folder

  • May 22, 2025
  • 3 replies
  • 156 views
C
Forum|alt.badge.img

I'm working on an application that does a one-way upload of documents to Box, and was wondering if it would be possible to restrict access for this application down to a specific folder (ie, the application can only read/write to that specific folder, and has no access to do anything on any other folder in our Box instance)?

 

Looking at the Box Developer console, I think I need the default "Application" level of access, which states:

 

> Provides access only to the service account and any app users and content created by your app.

 

This makes me think that I should be ok to proceed, since my application can create its own folder to contain uploads and then dump everything in there.

 

However, the next section (the Application Scopes section) says this:

 

> Read and write all files and folders stored in Box

 

This is what's confusing me. How should I reconcile the two sections? Does this mean that the application will truly have read/write access to all files and folders stored in Box? Or does this still respect the application access level, which would result in the application only having access to all files and folders that it creates itself?

    3 replies

    C
    Forum|alt.badge.img

    Hi ,

     

    Let me see if I can provide some more detail. If you create a JWT/OAuth application, that will generate what is called a service account to represent the application. Here's where things get a little tricky:

    • If you follow these directions you will authenticate as the application, and all files / folders that are created will only be created within your application. The service account does not have any ability to access files from other users unless you collaborate the service account in on the file / folder. 
    • If you want to access files / folders within app users that you create from the application, then you would follow these guidelines. This would allow you to upload / manage files / folders for the user that you create a token for.

     

    In short, by default, your JWT application will only be able to access files and folders within the application. 

     

    If you want to further restrict the access token created for the service account, you can potential use the downscope token capability, and if you use the base upload scope that should give you the restriction to just upload to a single folder that you may need.

     

    Hope that helps,

    Jon 

    C
    Forum|alt.badge.img

    Hi ,

     

    What I wasn't aware of was the the fact that when your app is added to a box account, a automationuser is generated.  This automationuser is able to be associated with groups that could then be granted collaboration access.

     

    This was perfect because it allowed us to remove all authorization scopes other than read folder access to guarantee security for our customers.

     

    Thanks!

    C
    Forum|alt.badge.img

    Hey Jon, this is fantastic, thanks. Exactly what I was looking for, and allows me to move forward with my app.

    Terms of ServiceAccessibility statement