Product Guides will soon move to a new site. Check out all the details on what's changing.

Box Status

x-post from developer forum.

Follow
New post
Expel Developer

Hello,

[I cross posted this from the developer forum since it seems there isn't much activity there (no comments in 7 days). I would love to get answers to these questions and am unsure what the best avenue to ask them is. If this is beyond the scope of the support forum, what is the best way of obtaining gcm permissions for an application? Getting those would atleast allow me to continue doing some research on my own in the mean time. Thanks!]

I'm building out an integration for our backend to pull box data from some of our customers. I have been having a hard time figuring out the best Custom App setup to meet our customer's needs. 

Architecture:
We want to be able to pull admin logs from the "/2.0/events" route and then depending on the information we get back grab additional information from the "/2.0/files/" and "/2.0/folders/" routes. We would like to be able to grab events, files and folders from the entirety of the environment that the custom app exists in. Our current custom app is using OAuth2.0 with client credentials grant. 

The Problem:
The problem we are running into is that after authenticating the access token provided is associated with a service account which by default doesn't have access to the entirety of the tenant/environment. When comparing the api calls made with the service account access token vs a developer token from the tenant admin I noticed that I received more logs from the events route and that I couldn't retrieve any files or folder unless I manually added the email associated with the service account as a contributor. 

 

I've figured out 3 potential workouts for this situation:

Add the service account as a contributor to all folders within the organization. As far as I can tell there is no programatic way to do this since the service account can't discover all the folders within the organization. Without a programatic way this isn't "scalable", also if a new folder was added the service account would be ignorant of it.

Add the gcm scope to the application. I think this is the most likely way to accomplish what I want to do with this integration. But the only downside is that a ticket must be opened for each app, which would mean each time a customer wanted to bring on their box account we would have to request a new one. 

Assume the user identity of the account admin. This one I have not be able to verify would work.  

My Question:
1) Given the scenario and problems listed above are we going about this the correct way? Is there some better way to set up the application that we just missed?
2) Is there a programatic way we can add the service account as a contributor to all folders?
3) How long is the turn around for getting gcm scope added to an app?

4) Could I get gcm scope added to our test app (user: 15026259845, enterprise: 792266645)?

Thanks for any feedback!

0

Comments

0 comments

Please sign in to leave a comment.