Skip to main content
Question

Restrict service account permissions to specific users

  • May 21, 2025
  • 4 replies
  • 37 views
C
Forum|alt.badge.img

I am building an app that needs to access content of specific users within the enterprise, without requiring them to log in via the app.  Documentation suggests that this is what service accounts are for (concretely, I should be making requests using the service account token with 'As User' header).  

 

I created an app, and checking app authorizations in the enterprise admin console I see that it requires access to content for all users.  Is there a way for the enterprise admin to restrict my app to only access content for specific users? 

    4 replies

    C
    Forum|alt.badge.img

    Service Accounts cannot be restricted to a specific set of users as of yet, though this is something we are exploring. You can scope a Service Account to "No Users," "App Users," or "All Users" (Managed Users + App Users). 

    C
    Forum|alt.badge.img

    I'd like to second this request. We have a very large organization, so handing out an enterprise/service account is a security risk.

    C
    Forum|alt.badge.img

    I am in the same boat.  There needs to be a way to authorize these service accounts for specific folders.  Or, alternatively, a way for Enterprise Users to see Box Application Users' folders.

     

     

    C
    Forum|alt.badge.img

    2019 status check, is this functionality still on the road map for Box?

     

    Context: I'm a R-developer interested in using the JWT-app as an alternative to standard OAuth for usage on remote servers and in data applications. This use cases would require access to existing user accounts, but the vulnerability of being to access *any* user in the enterprise is concerning.

     

    Sidenote: If user IDs were provisioned randomly instead of sequentially (based on account creation date) this would be less of a problem.

    Terms of ServiceAccessibility statement