Need some help understanding app users/service accounts in Box
Answered
I'm fairly new to Box, though not new to most of the concepts here, but I have a feeling that I've got a blind spot about APP Users/Service accounts based on similar things that I've done in the past, that are perhaps different. So- here are the details of what I'm trying to do:
1) I'm in a system administration role, and need to be able to do some things without adding to the development team's already overfull plate- so I'm looking at how to accomplish some of these things in my role- not with custom-developed software. I want a solution that I can do to set up these kinds of processes as a sysadmin.
2) What we are attempting to do is simply to create scheduled processes to sync files to/from Box from servers that we operate. We'd like to do this using "RClone", an open-source package that can do this, and is aware of the Box API, which it uses via OAuth2 w/JWT. I've managed to get it to accept setup with the "Acting on behalf of the enterprise" settings, but so far I can't get it to connect based on a connect as user setting within that app.
3) Here's where I get stuck- per our standard security practice, I need to be able to set up that rclone access so that it only has access to the specific set of folders that it's transferring to. Based on my reading so far, I believe that means that I need to set up rclone to act on behalf of a user, and either make the service account set up on behalf of this app the owner of those files- or collaborate those files with that app. Or... I need to limit the scope of that app setup to just allow access to those folders. Both of those involve using the identity of the service account, I believe- but what identity of a service account can I see as an Enterprise admin? There is no unique email address assigned to the developer app I've set up for RClone to use, and I don't see an interface to set up the collaboration or ownership using anything but an email address as the identifier. I'm sure there is some concept or detail here that I'm just blind to- what is it that I'm missing? Isn't there a fairly direct way to set up an app that I've defined in my developer console to have specific file permissions?
-
Official comment
Yes, it sounds like your understanding of your options is correct:
- obtain access token for a user that already has access
- collaborate the service account onto just the content it needs access to
- use the token of the service account and use the as-user header to act as a user that already has access
For security purposes, I would recommend going with the second option there and collaborating your service account in on just the content it needs to access.
You can get the identity of this user a few different ways:
- Use the default access token of the JWT app call the get current user endpoint, which will return an email that looks like AutomationUser_xxxx_@boxdevedition.com, which you will need to collaborate on the content
- Via the content manager in the admin console search the name of your app and right click on it. Select login as user and when you're in that account go to the top right hand corner and click the circle to get to account settings and you'll see the AutomationUser_xxxx_@boxdevedition.com email address listed under the account tab. That's the email address you need to add as the collaborator.
Hope that helps!
Best,
Kourtney, Box Developer Advocate
Comment actions -
Wow- thanks! That took me exactly where I needed to go. Everything kind of fell together once I could get to that service account ID. I now have it working as a limited app, with permissions only to the folders and files that it needs to collaborate with. Thanks for getting me over that hump- I'd never have gotten there without your guidance.
-
Randy,
Thank you for the update - that makes me very happy to hear! Congrats on getting everything up and running :) I will say that the team is working on improving our documentation and we have some upcoming product changes to hopefully help ease the difficulties you encountered.
Best,
Kourtney, Box Developer Advocate
-
@Kourtney.
I have issue with uploading file via .NET SDK same as below discussion
How can I reach to Supporter for the support/clarification?
-
Kourtney,
The information you provided about obtaining the email address was very helpful. I tried using the "Content manager" approach. In my case I had to switch to the account that is "Owner" of our Box tenant. When trying to do this as a co-owner the "sign in as account" just signed me into my own account. I'm posting this as much for my own reference next time I need to find the email of an app user so we can invite them as a collaborator.
Please sign in to leave a comment.
Comments
5 comments