Permissions Needed to Authenticate API's

Hello, we have an integration to a third party apllication using Oauth 2 and apis v2.0/users and events. we are trying to determine the minimal permissions required to authorize this application, from the documentation it looks like user needs to be either and Admin or co-Admin to authorize. Can someone confirm this.

Below is the infromation in the developer documentation and Box Admin Dicumentation.

The Box API requires the application and user authenticating the application to have the correct permissions.

User permissions and scopes

It is important to understand that even if an application has the right scopes to perform an action, the user authenticated in the API call needs to have permission to perform that action as well, and vice versa.

For example, if your application is set up to read files, the authenticated user does need to have permission to read the file you are trying to access.

The three Box Admin types are:

ADMIN: Admins can manage users and groups, view and edit all of their organization’s files and folders, log in to any user’s account within their organization, edit settings for their organization, and run or access reports. The Box Admin is the principal account administrator.
CO-ADMIN: Co-admins can perform the same duties as the organization’s Admin, but they cannot make changes to the Admin’s permissions or other Co-admins' permissions. The default access levels for Co-admins, which are set to include only the ability to manage users and groups, can be modified on a per-user basis.
GROUP ADMIN: Group Admins can add existing users to their groups, create new users that will be assigned to their groups, and assign folder access to their groups. They can also run reports for their groups.

https://support.box.com/hc/en-us/articles/360043694174-Understanding-Administrator-and-Co-Administrator-Permissions

https://developer.box.com/guides/api-calls/permissions-and-errors/scopes/

cbetta

2020年05月04日 02:42

Hi this all depends on what user manipulation and events APIs the app wants to use. If it only needs to read the current user's events and user details, then any user should be able to authenticate the app. If the app wants to be able to read all users and events in the enterprise, then the authenticated OAuth 2.0 user needs to be an admin or co-admin.

Is this app being developed by you or by a third party? And is it a new app or something you're looking to adopt that's already built?

Flexera

2020年05月04日 06:07

Thanks for your reply, it's an application we built and need to provide the miminum permissions needed to authorize the application.

2020年05月04日 06:32

Excellent. So what actual API calls does the app need to make?

2020年05月04日 08:18

We are using these endpoints- https://api.box.com/2.0/users and https://api.box.com/2.0/events to get the list of all users and their last logins.

2020年05月06日 06:40

So in that case you have 2 options.

You can either have an admin or co-admin authenticate through OAuth 2.0, or you can use a JWT authenticated (server to server) app.

In both cases, the app will need the permissions to "Manage users" as well as "Read enterprise properties".

コメント