Restrict service account permissions to specific users

Answered

New post

May 18, 2017 14:11

I am building an app that needs to access content of specific users within the enterprise, without requiring them to log in via the app. Documentation suggests that this is what service accounts are for (concretely, I should be making requests using the service account token with 'As User' header).

I created an app, and checking app authorizations in the enterprise admin console I see that it requires access to content for all users. Is there a way for the enterprise admin to restrict my app to only access content for specific users?

Comments

4 comments

mschwartz

May 25, 2017 17:12
Service Accounts cannot be restricted to a specific set of users as of yet, though this is something we are exploring. You can scope a Service Account to "No Users," "App Users," or "All Users" (Managed Users + App Users).
0

Comment actions Permalink
jpknoll

July 18, 2017 11:25
I'd like to second this request. We have a very large organization, so handing out an enterprise/service account is a security risk.
0

Comment actions Permalink
rgnashville

September 27, 2017 08:05
I am in the same boat. There needs to be a way to authorize these service accounts for specific folders. Or, alternatively, a way for Enterprise Users to see Box Application Users' folders.
0

Comment actions Permalink
nathancday

September 11, 2019 07:55
2019 status check, is this functionality still on the road map for Box?

Context: I'm a R-developer interested in using the JWT-app as an alternative to standard OAuth for usage on remote servers and in data applications. This use cases would require access to existing user accounts, but the vulnerability of being to access *any* user in the enterprise is concerning.

Sidenote: If user IDs were provisioned randomly instead of sequentially (based on account creation date) this would be less of a problem.
0

Comment actions Permalink

Please sign in to leave a comment.