Overview

When you connect your account, it must already have the correct access level based on the selection you made:

• Admin account: Broad access to most or all files and folders across the workspace or tenant. Admins are able to connect using the User Account option.

• User account: Limited to your own files and any files or folders explicitly shared with you. If you are not an admin but attempting to connect via the Admin flow the connection will fail or be missing data.

The sections below explain these access levels in more detail and how to confirm your account has the right permissions before connecting.

Google Drive

• User account (read-only)

  Let us show your file and folder names, details, and previews. Used when you want to browse and pick files but not change them.

• Admin account (read-only)

  Adds access to group information (like group names and members). Needed if your company manages files by groups.

• Admin account (read and write)

  Full access to create, edit, or delete files and folders. Choose this if you want us to create or update content in your Drive.

SharePoint

• User account (read-only)

  Let us see the files, folders, and sites you have access to. Basic profile info is included.

• Admin account (read-only)

  Adds visibility into groups, memberships, and admin settings. Needed if your company uses SharePoint groups to control access.

• Admin account (read and write)

  Full access to create and manage files, folders, and site content across your organization.

OneDrive

• User account (read-only)

  Let us show your files, folders, and sites. Includes basic profile information.

• Admin account (read and write)

  Full access to view, create, and manage files across users and groups. Needed for shared workspaces.

Dropbox

• User account (read-only)

  View your files, folders, and sharing settings.

• User account (read and write)

  View and edit files. For example, uploading or updating a file.

• Admin account (read-only)

  Adds access to team-level info, like member lists and groups.

• Admin account (read and write)

  Full access to manage content, users, and team settings.

Box

• User account (read and write)

  Let us view and edit your files and folders.

• Admin account (read and write)

  Adds the ability to manage users, groups, and webhooks (automatic notifications from Box).

• Super-admin account (read and write)

  Adds the ability to manage users, groups, and webhooks (automatic notifications from Box).

Read below if you want more explicit definitions of what each access level entails.

More detailed view: confirm if your account has the proper access

Google Drive

User account (read-only)

Scope: https://www.googleapis.com/auth/drive.readonly

We use information enabled by this scope to populate file and folder metadata information, such as descriptions, the drive the file or folder belongs to, file thumbnails and URLs, file and folder names, and file mime types. With selective sync enabled, we’ll only process the files, folders and drives that the end user would like to have synced.

We also use this scope to show the list of files, folders and drives to select from in the file picker UI.

This is required to view and download Drive files - example endpoints:

• GET /drive/v3/files

• GET drive/v3/files/{fileId}

Admin account (read-only)

Scopes

• https://www.googleapis.com/auth/drive.readonly

• https://www.googleapis.com/auth/admin.directory.group.readonly

We use information enabled by these scopes to populate group information, such as the name of the group and the users which belong in the group.

Required, to view groups on your domain. Scope for only retrieving group, group alias, and member information. Sample relevant endpoints that require this scope:

• /admin/directory/v1/groups

• /admin/directory/v1/groups/{id}/members

Admin account (read and write)

Scope: https://www.googleapis.com/auth/drive

We use the information enabled by this scope to perform create operations in Google Drive; for example, creating a folder or file in the Google Drive instance.

Required to be able to see, edit, create, and delete Google Drive files - example endpoint: POST drive/v3/files.

Sharepoint

User Account (read-only)

• Microsoft Graph

  • Files.Read.All: Read all files that user can access

  • Sites.Read.All: Read items in all site collections

  • User.Read: Sign in and read user profile

  • User.ReadBasic.All: Read all users' basic profiles

Admin account (read-only)

• Microsoft Graph

  • Files.Read.All: Read all files that user can access

  • Group.Read.All: Read all groups

  • GroupMember.Read.All: Read all group memberships

  • RoleManagement.Read.All: Used to check if the authenticated user is an Admin

  • RoleManagementPolicy.Read.Directory: Used to check if the authenticated user is an Admin

  • Sites.Read.All: Read items in all site collections

  • User.Read.All: Read all users' full profiles

Admin account (read and write)

• Microsoft Graph

  • Files.Read.All: Read all files that user can access

  • Files.ReadWrite.All: Have full access to all files user can access

  • Files.ReadWrite.All: Read and write files in all site collections

  • Group.Read.All: Read all groups

  • GroupMember.Read.All: Read group memberships

  • RoleManagement.Read.All: Used to check if the authenticated user is an Admin

  • RoleManagementPolicy.Read.Directory: Used to check if the authenticated user is an Admin

  • Sites.Manage.All: Create, edit, and delete items and lists in all site collections

  • Sites.ReadWrite.All: Edit or delete items in all site collections

  • User.Read.All: Read all users' full profiles

  • Sites.FullControl.All : Maintain drive level permissions.

Why each scope is needed

Refer to Microsoft’s permissions reference for an in-depth explanation as to why we need each requested scope. Also, see the attached screenshots at the bottom of the article for a description of each requested scope.

Explanation of differences between delegated and application permissions.

Files.Read, Files.Read.All, Files.Read.All

Sample relevant endpoint that requires these scopes:

• GET /drives/{drive-id}/items/{item-id}/children

We use information enabled by these scopes to read files and folders that a user has access to. This enables us to populate file and folder information, such as descriptions, the drive the file or folder belongs to, file thumbnails and URLs, file and folder names, and file mime types. Note that, with selective sync enabled, we’ll only process the files, folders and drives that the end user would like to have synced.

We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

Group.Read.All, Group.Read.All, GroupMember.Read.All, GroupMember.Read.All

Sample relevant endpoints that require these scopes:

• GET /groups

• GET /groups/{id}/members

We use information enabled by these scopes to populate group information, such as the name of the group and the users which belong in the group.

Sites.Read.All

Sample relevant endpoints that require these scopes:

• GET /sites

We use information enabled by these scopes to surface sites and populate file and folder information in sites that the user has access to. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

User.Read, User.Read.All, User.ReadBasic.All

Sample relevant endpoints that require these scopes:

• GET /me

• GET /users/{id | userPrincipalName}

• GET /users

We use information enabled by these scopes to populate information about users, such as names and email addresses.

Files.ReadWrite, Files.ReadWrite.All, Files.ReadWrite.All

Sample relevant endpoints that require these scopes:

• POST /drives/{drive-id}/items/{parent-item-id}/children

• POST /groups/{group-id}/drive/items/{parent-item-id}/children

• POST /me/drive/items/{parent-item-id}/children

• POST /sites/{site-id}/drive/items/{parent-item-id}/children

• POST /users/{user-id}/drive/items/{parent-item-id}/children

We use information enabled by these scopes to read and create files and folders.

Sites.Manage.All, Sites.FullControl.All

Sample relevant endpoints that require these scopes:

• https://learn.microsoft.com/en-us/graph/api/resources/site?view=graph-rest-1.0

We use information enabled by these scopes to read and write items in site collections. These scopes also enable us to populate information about permissions such as the group that is granted permission, which permissions are enabled, and what type of people have access to the file. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

OneDrive

User account (read-only)

• Microsoft Graph

  • Files.Read.All: Read all files that user can access

  • Group.Read.All: Read all groups

  • GroupMember.Read.All: Read group memberships

  • User.Read: Sign in and read user profile

  • User.ReadBasic.All: Read all users' full profiles

Why each scope is needed

Refer to Microsoft’s permissions reference for an in-depth explanation as to why we need each requested scope. Also see attached screenshots below for a description of each requested scope.

Explanation of differences between delegated and application permissions.

Files.Read, Files.Read.All, Files.Read.All

Sample relevant endpoint that requires these scopes:

• GET /drives/{drive-id}/items/{item-id}/children

We use information enabled by these scopes to read files and folders that a user has access to. This enables us to populate file and folder information, such as descriptions, the drive the file or folder belongs to, file thumbnails and URLs, file and folder names, and file mime types. Note that, with selective sync enabled, we’ll only process the files, folders and drives that the end user would like to have synced.

We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

Group.Read.All, Group.Read.All, GroupMember.Read.All, GroupMember.Read.All

Sample relevant endpoints that require these scopes:

• GET /groups

• GET /groups/{id}/members

We use information enabled by these scopes to populate group information, such as the name of the group and the users which belong in the group.

Sites.Read.All, Sites.Read.All

Sample relevant endpoints that require these scopes:

• GET /sites

We use information enabled by these scopes to surface sites and populate file and folder information in sites that the user has access to. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

User.Read, User.Read.All, User.ReadBasic.All

Sample relevant endpoints that require these scopes:

• GET /me

• GET /users/{id | userPrincipalName}

• GET /users

We use information enabled by these scopes to populate information about users, such as names and email addresses.

Sites.Search.All

Sample relevant endpoints that require these scopes:

• GET /sites?search={query}

We use information enabled by these scopes to search for SharePoint sites using specific keywords. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

Files.ReadWrite, Files.ReadWrite.All, Files.ReadWrite.All

Sample relevant endpoints that require these scopes:

• POST /drives/{drive-id}/items/{parent-item-id}/children

• POST /groups/{group-id}/drive/items/{parent-item-id}/children

• POST /me/drive/items/{parent-item-id}/children

• POST /sites/{site-id}/drive/items/{parent-item-id}/children

• POST /users/{user-id}/drive/items/{parent-item-id}/children

We use information enabled by these scopes to read and create files and folders.

Sites.Manage.All, Sites.ReadWrite.All

Sample relevant endpoints that require these scopes:

• https://learn.microsoft.com/en-us/graph/api/resources/site?view=graph-rest-1.0

We use information enabled by these scopes to read and write items in site collections. These scopes also enable us to populate information about permissions such as the group that is granted permission, which permissions are enabled, and what type of people have access to the file. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

Dropbox

User account (read-only)

• account_info.read

• files.metadata.read

• files.content.read

• sharing.read

User account (read and write)

• account_info.read

• files.metadata.read

• files.metadata.write

• files.content.read

• files.content.write

• sharing.read

• sharing.write

Admin account (read-only)

• account_info.read

• files.metadata.read

• files.content.read

• sharing.read

• team_info.read

• team_data.member

• team_data.governance.read

• team_date.content.read

• files.team_metadata.read

• members.read

• groups.read

• events.read

Admin read and write

• account_info.read

• files.metadata.read

• files.metadata.write

• files.content.read

• files.content.write

• sharing.read

• sharing.write

• team_info.read

• team_data.member

• team_data.governance.read

• team_data.governance.write

• team_data.content.read

• team_data.content.write

• files.team_metadata.read

• files.team_metadata.write

• members.read

• groups.read

• events.read

Scopes used may differ from the default because Dropbox requires all integrations to specify specific scopes. Please check the linking flow to see what permissions are being requested for your integration.

Why each scope is needed:

Default permissions (not configurable, applies to all OAuth apps)

• account_info.read: View basic information about your Dropbox account such as your username, email, and country

• files.metadata.read: View information about your Dropbox files and folders

• sharing.read: View your Dropbox sharing settings and collaborators

Additional permissions

• files.metadata.write: View and edit information about your Dropbox files and folders

  • Used for POST /files/properties/add

• files.content.write: Edit content of your Dropbox files and folders

  • Used for POST /files/upload

• files.content.read: View content of your Dropbox files and folders

  • Used for POST /files/download

• sharing.write: View and manage your Dropbox sharing settings and collaborators

  • Used for POST /files/properties/add

Box

User account (read and write)

• root_readonly

• root_readwrite

• manage_managed_users

• manage_groups

• manage_webhook

Admin (read and write)

• root_readonly

• root_readwrite

• manage_managed_users

• manage_groups

• manage_webhook

Why each scope is needed:

root_readonly

• To read files and folders stored in Box.

manage_managed_users

• Manage users. Gives an application permission to manage Managed Users.

• Although this allows an application manage users, for client-side applications, the Access Token used must be associated with an Admin or Co-Admin with the correct permissions.

manage_groups

• Gives an application permission to manage an enterprise's groups. It allows the app to create, update, and delete groups, as well as manage group membership.

• Although this allows an application manage groups, for client-side applications, the Access Token used must be associated with an Admin Co-Admin with the correct permissions.

root_readwrite

• Gives an application write access for the authenticated user. This allows the application to upload files or new file versions, download content, create new folders, update or delete collaborations, create comments or tasks, and more.

• Although this gives an application read/write access to items, the user making the API call needs to have access to the content.

manage_webhook

• Gives an application permission to create webhooks for a user. Please review webhook limitations. Most notably, there is a limit of 1000 webhooks per application, per user.