Box Status
Print

API [Content API] - 403 "access_denied_insufficient_permissions" Errors

API , Permissions , Troubleshooting , Admin , Box Platform , Article , Product Utilization
When making API calls to various objects, the following error can be returned in the response:
{"type":"error","status":403,"code":"access_denied_insufficient_permissions","help_url":"http://developers.box.com/docs/#errors","message":"Access denied - insufficient permission","request_id":"qbkiebl8v0prtqqn"}
This error comes from the way that Box checks for permissions. For any action taken via the API, Box will check:
  1. The permissions of the Box account who owns the access token
  2. The permissions/scopes of the Box app
If one of these checks returns insufficient permissions, then the error will be returned.
This list is not exhaustive. Box has many access control options available. More information on Box App's permission scopes can be found at our Scopes page and specific details and required permission scopes for any of our API endpoints at our API Reference page.

 

Environment

Box Platform - API Calls to Box via a custom application

 

Steps To Resolve

Check that the user has permission to do the task. The easiest way to check is to see whether the same action can be done via the Web App. For example:

  • If attempting to use the "as-user" header with another user, check if you can use the "Log in as this user" option via the administrator console. In this example, common situations are users not having Co-Admin permissions, Co-Admin's trying to "as-user" as another Co-Admin, or Co-Admin's trying to "as-user" as the Primary Admin.
  • If attempting to use an advanced feature like Legal Holds, then the enterprise must have access to the feature.
  • You cannot add a collaborator to the root folder ("All Files" page).
  • Note: Co-Admins do not have the permission to manage other Co-Admin accounts.
Check that the application has permission to do the task by looking at the scopes enabled for the application. There are potentially two places to check:
  • (Client and Server Authentication) The Configuration page for the Box app in the Dev Console.
  • (Server Authentication Only) The Box app's App Authorization in the enterprise via Admin Console -> Integrations -> Platform Apps Manager -> View -> App Scopes.
  • When Admins authorize a Server Authentication app in the Admin Console, the authorization for the app is the set of scopes the app has at the time that it was authorized. If the scopes change after the app was originally authorized, the app must be reauthorized for the changes to take effect in the enterprise (Admin has to effectively "approve" changes in the app's scopes).
For example:
  • If making a call to the Users API endpoint, the "Manage users" permission scope must be enabled.

 

Root Cause

User does not have permission to perform the requested action. If you need further assistance, please file a ticket with Box Support.

platform_swarm_kb

Related articles