App Access Level setting only applies to JWT Auth and Client Credentials type custom apps.
Some custom app settings also require specific a App Access Level. Review the Scopes documentation to determine if a specific custom app setting requires a certain App Access Level setting.
“App Access Only” vs “App + Enterprise Access”
An application's access level determines which users and content your app may access. By default, an application can only successfully interact with the content of its Service Account and any App Users. To access existing Managed Users of an enterprise and groups that were not created by the app itself, navigate to the Application Access settings accessible in the Configuration tab of the Developer console and set to App + Enterprise Access. Otherwise, access to such Managed Users and groups will be blocked.
Issue
You are unable to use the as-user header or User Access Token functionality to make API calls as a Box account.
Error
{"type":"error","status":403,"code":"access_denied_insufficient_permissions","help_url":"http:\/\/developers.box.com\/docs\/#errors","message":"Access denied - insufficient permission","request_id":"abcd1efgh2ijkl3m"}
Cause
The as-user header or User Access Token allows you to make API calls as another Box account so requires your custom app to have access to your Box Enterprise.
Resolution
-
Ensure the App Access Level for your Box custom app is set to “App + Enterprise Access”
-
Save your custom app setting changes
-
Re-authorize your Box custom app
Note
You would not be able to use the as-user header with another Co-Admin account as a Co-Admin or as an Admin/Co-Admin account as a Managed Users account.