Box Status
Print

Box for Salesforce - The permission on Salesforce is not mapped correctly to Box

 

Summary

With Box for Salesforce, the user’s permission on the record’s Box folder is intended to match their Salesforce access to that record. Sometimes it does not—for example, Salesforce shows Edit while Box shows Viewer. This article describes how to troubleshoot that mismatch and fix it.

 

Common causes

A frequent pattern is that a collaboration was created when the user only had lower access (e.g. Read / Viewer), and after Salesforce permissions were raised, the existing collaboration was not updated to the expected Box role (e.g. Editor).

  • While the user only had Read (Viewer) in Salesforce, Box created a collaboration with Viewer permission.
  • Salesforce was later updated to grant a higher level (e.g. Edit), but the original Viewer collaboration remained and was not replaced with Editor.

 

Resolution (quick fixes)

Try one of the following to realign Box with Salesforce:

1. Manual — change the role in Box
As the Salesforce service account, update the user’s collaboration on the affected folder so it matches Salesforce (Other Box Admins can perform the same via Content Manager).

2. Automatic — Sync Now
Use Sync Now in Box for Salesforce. It schedules a permission sync job to run about one minute later (not immediately). Be aware that Sync Now can overwrite manual collaboration changes. To resync a specific user or folder in a controlled way, use Recreate FRUP and collaboration instead.

If neither approach works, or you want to confirm root cause, continue with Troubleshooting below. If the mapping is still wrong after troubleshooting, use Recreate FRUP and collaboration.

 

Troubleshooting

Check current state

  1. UserRecordAccess — Query the standard UserRecordAccess object (see SOQL below) for the user’s effective access to the record. If the query returns no rows, that user has no row-level access to that record in Salesforce; fix sharing or record access in Salesforce first—the issue is not Box mapping.

  2. FRUP — The FRUP custom object stores the mapping between the Salesforce record and the Box folder. Check the FRUP record with SOQL or run the FRUP report (SOQL and steps below) to verify the permission level on the Box folder.
    Generating a FRUP Report in the Box Salesforce Integration

  3. Compare — Check that Permission__c on FRUP (for example box__Permission__c on box__FRUP__c, or the Permission column in the FRUP report) and UserRecordAccess align with the role shown for the user on the folder in Box (Collaborators list or Content Manager).

Advanced checks (optional)

These apply mainly in edge cases where Box Access Levels are customized or Sync Now does not apply updates because of invalid FRUP data.

  • Custom Box Access Levels — If your org has customized Box Access Levels and maps Salesforce access levels (such as All, Transfer, Delete, Edit, Read, None) to Box collaborator roles (Viewer, Editor, and so on) differently from the default, Box can show an unexpected role even when UserRecordAccess looks correct. A Salesforce admin should review the mapping for the affected user or profile.

    This setting is under Setup > Custom Settings > Box Access Levels (v4.47 and later). See Box for Salesforce v4.47 release notes (Apr 2024).

  • Invalid FRUP data — Scheduled permission sync considers FRUP rows only when certain fields are in expected states (for example Retry_Count__c empty, and BOSS_Status__c / BOSS_Action__c not in a bad state). Unusual BOSS StatusBOSS Action, or a non-empty Retry Count on the FRUP row can prevent updates from applying. Check those fields for affected records and compare them with healthy FRUP rows.

Sample SOQL

Replace placeholder IDs with your Salesforce User Id and record Id(s). For steps to run SOQL query, refer to this article or other Salesforce help documentation.

Effective record access:

SELECT RecordId,
       HasDeleteAccess,
       HasEditAccess,
       HasReadAccess,
       MaxAccessLevel
FROM UserRecordAccess
WHERE UserId = '005xxxxxxxxxxxxxx'
  AND RecordId IN ('001xxxxxxxxxxxxxx', 'a0Jxxxxxxxxxxxxxx')

Sample output:

RecordId HasDeleteAccess HasEditAccess HasReadAccess MaxAccessLevel
0015i00000of4PrAAI false false true Read
0015i000013hoAKAAY true true true All
a0JJ30000058CPsMAM false false true Read

FRUP rows for a user and record(s):

SELECT Name,
       box__Box_user__c,
       box__CollaborationID__c,
       box__Folder_ID__c,
       box__Object_Name__c,
       box__Permission__c,
       box__Record_ID_Indexed__c,
       box__Salesforce_User__c
FROM box__Frup__c
WHERE box__Record_ID_Indexed__c IN ('001xxxxxxxxxxxxxx', 'a0Jxxxxxxxxxxxxxx')
  AND box__Salesforce_User__c = '005xxxxxxxxxxxxxx'

Sample output:

Name box__Box_user__c box__CollaborationID__c box__Folder_ID__c box__Object_Name__c box__Permission__c box__Record_ID_Indexed__c box__Salesforce_User__c
FRUP-00118 43527354476 71705605280 285084885059 Account Read/Write 0015i00000of4PrAAI 0055i00000BFCllAAH
FRUP-00111 43527354476 71664594274 239415191098 Account Read/Write 0015i000013hoAKAAY 0055i00000BFCllAAH
FRUP-00115 43527354476 71674918834 332600759483 CustomObject2__c Read a0JJ30000058CPsMAM 0055i00000BFCllAAH

If UserRecordAccess and FRUP do not reflect the access you expect, or Box still shows the wrong role, the Salesforce-Box permission mapping is out of sync. Follow Recreate FRUP and collaboration next.

Example interpretation

  • 0015i000013hoAKAAY — HasEditAccess = true on UserRecordAccess and box__Permission__c = Read/Write on box__Frup__c: aligned.
  • a0JJ30000058CPsMAM — HasEditAccess = false on UserRecordAccess and box__Permission__c = Read on box__Frup__c: aligned.
  • 0015i00000of4PrAAI — HasEditAccess = false on UserRecordAccess but box__Permission__c = Read/Write on box__Frup__c: not aligned (read-only in Salesforce, Read/Write on Box).

 

Recreate FRUP and collaboration

Before you start: Back up affected records or folders and notify stakeholders where needed.

1. Remove the collaboration in Box
As the Salesforce service account, remove the user’s collaboration on the affected folder (Other Box Admins can perform the same via Content Manager).

2. Delete the FRUP row(s) in Salesforce
Delete the FRUP record(s) that are out of sync. In the example above, FRUP-00118 is the row that is out of sync and should be deleted.

Open the FRUP record from the FRUP report/object (list view or related list), then Delete.

Deleting FRUP is necessary because Box for Salesforce will keep referencing the FRUP row for collaboration you removed in step 1. This causes error in Box embed/UI elements since the affected user no longer has access to the Box folder tied to that record.
After you delete the FRUP row, when the user next uses Box for Salesforce on that record (i.e. loads the Box embed or UI Elements on the record page), FRUP is recreated and the user is re-invited automatically.

3. Validate
After FRUP is recreated, confirm the Box collaboration matches Salesforce access (Read/Write → Editor, etc.).

Contact Support

If the steps above do not resolve the issue, or the same problem recurs on other records, contact Box Support with:

  • Affected Box account
  • Affected Salesforce record ID
  • Affected Box folder ID
  • FRUP report output
  • SOQL query results
  • Screenshots of the Box Settings tab

Related articles