Overview

Each File Storage integration requires specific scopes for varying levels of access, such as read-only, read-write, and administrative permissions. The scopes enable actions like viewing, editing, creating, and managing files and folders, user information, groups, and collaborations within the respective cloud storage platforms. This article explains the necessity of each scope and the types of operations they facilitate.

Google Drive

User account (read-only)

Scope: https://www.googleapis.com/auth/drive.readonly

We use information enabled by this scope to populate file and folder metadata information, such as descriptions, the drive the file or folder belongs to, file thumbnails and URLs, file and folder names, and file mime types. With selective sync enabled, we’ll only process the files, folders and drives that the end user would like to have synced.

We also use this scope to show the list of files, folders and drives to select from in the file picker UI.

This is required to view and download Drive files - example endpoints:

• GET /drive/v3/files

• GET drive/v3/files/{fileId}

Admin account (read-only)

Scopes

• https://www.googleapis.com/auth/drive.readonly

• https://www.googleapis.com/auth/admin.directory.group.readonly

We use information enabled by these scopes to populate group information, such as the name of the group and the users which belong in the group.

Required, to view groups on your domain. Scope for only retrieving group, group alias, and member information. Sample relevant endpoints that require this scope:

• /admin/directory/v1/groups

• /admin/directory/v1/groups/{id}/members

Admin account (read and write)

Scope: https://www.googleapis.com/auth/drive

We use the information enabled by this scope to perform create operations in Google Drive; for example, creating a folder or file in the Google Drive instance.

Required to be able to see, edit, create, and delete Google Drive files - example endpoint: POST drive/v3/files.

Sharepoint

User Account (read-only)

• Microsoft Graph

  • Files.Read.All: Read all files that user can access

  • Sites.Read.All: Read items in all site collections

  • User.Read: Sign in and read user profile

  • User.ReadBasic.All: Read all users' basic profiles

Admin account (read-only)

• Microsoft Graph

  • Files.Read.All: Read all files that user can access

  • Group.Read.All: Read all groups

  • GroupMember.Read.All: Read all group memberships

  • RoleManagement.Read.All: Used to check if the authenticated user is an Admin

  • RoleManagementPolicy.Read.Directory: Used to check if the authenticated user is an Admin

  • Sites.Read.All: Read items in all site collections

  • User.Read.All: Read all users' full profiles

Admin account (read and write)

• Microsoft Graph

  • Files.Read.All: Read all files that user can access

  • Files.ReadWrite.All: Have full access to all files user can access

  • Files.ReadWrite.All: Read and write files in all site collections

  • Group.Read.All: Read all groups

  • GroupMember.Read.All: Read group memberships

  • RoleManagement.Read.All: Used to check if the authenticated user is an Admin

  • RoleManagementPolicy.Read.Directory: Used to check if the authenticated user is an Admin

  • Sites.Manage.All: Create, edit, and delete items and lists in all site collections

  • Sites.ReadWrite.All: Edit or delete items in all site collections

  • User.Read.All: Read all users' full profiles

  • Sites.FullControl.All : Maintain drive level permissions.

Why each scope is needed

Refer to Microsoft’s permissions reference for an in-depth explanation as to why we need each requested scope. Also, see the attached screenshots at the bottom of the article for a description of each requested scope.

Explanation of differences between delegated and application permissions.

Files.Read, Files.Read.All, Files.Read.All

Sample relevant endpoint that requires these scopes:

• GET /drives/{drive-id}/items/{item-id}/children

We use information enabled by these scopes to read files and folders that a user has access to. This enables us to populate file and folder information, such as descriptions, the drive the file or folder belongs to, file thumbnails and URLs, file and folder names, and file mime types. Note that, with selective sync enabled, we’ll only process the files, folders and drives that the end user would like to have synced.

We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

Group.Read.All, Group.Read.All, GroupMember.Read.All, GroupMember.Read.All

Sample relevant endpoints that require these scopes:

• GET /groups

• GET /groups/{id}/members

We use information enabled by these scopes to populate group information, such as the name of the group and the users which belong in the group.

Sites.Read.All

Sample relevant endpoints that require these scopes:

• GET /sites

We use information enabled by these scopes to surface sites and populate file and folder information in sites that the user has access to. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

User.Read, User.Read.All, User.ReadBasic.All

Sample relevant endpoints that require these scopes:

• GET /me

• GET /users/{id | userPrincipalName}

• GET /users

We use information enabled by these scopes to populate information about users, such as names and email addresses.

Files.ReadWrite, Files.ReadWrite.All, Files.ReadWrite.All

Sample relevant endpoints that require these scopes:

• POST /drives/{drive-id}/items/{parent-item-id}/children

• POST /groups/{group-id}/drive/items/{parent-item-id}/children

• POST /me/drive/items/{parent-item-id}/children

• POST /sites/{site-id}/drive/items/{parent-item-id}/children

• POST /users/{user-id}/drive/items/{parent-item-id}/children

We use information enabled by these scopes to read and create files and folders.

Sites.Manage.All, Sites.FullControl.All

Sample relevant endpoints that require these scopes:

• https://learn.microsoft.com/en-us/graph/api/resources/site?view=graph-rest-1.0

We use information enabled by these scopes to read and write items in site collections. These scopes also enable us to populate information about permissions such as the group that is granted permission, which permissions are enabled, and what type of people have access to the file. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

OneDrive

User account (read-only)

• Microsoft Graph

  • Files.Read.All: Read all files that user can access

  • Group.Read.All: Read all groups

  • GroupMember.Read.All: Read group memberships

  • User.Read: Sign in and read user profile

  • User.ReadBasic.All: Read all users' full profiles

Why each scope is needed

Refer to Microsoft’s permissions reference for an in-depth explanation as to why we need each requested scope. Also see attached screenshots below for a description of each requested scope.

Explanation of differences between delegated and application permissions.

Files.Read, Files.Read.All, Files.Read.All

Sample relevant endpoint that requires these scopes:

• GET /drives/{drive-id}/items/{item-id}/children

We use information enabled by these scopes to read files and folders that a user has access to. This enables us to populate file and folder information, such as descriptions, the drive the file or folder belongs to, file thumbnails and URLs, file and folder names, and file mime types. Note that, with selective sync enabled, we’ll only process the files, folders and drives that the end user would like to have synced.

We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

Group.Read.All, Group.Read.All, GroupMember.Read.All, GroupMember.Read.All

Sample relevant endpoints that require these scopes:

• GET /groups

• GET /groups/{id}/members

We use information enabled by these scopes to populate group information, such as the name of the group and the users which belong in the group.

Sites.Read.All, Sites.Read.All

Sample relevant endpoints that require these scopes:

• GET /sites

We use information enabled by these scopes to surface sites and populate file and folder information in sites that the user has access to. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

User.Read, User.Read.All, User.ReadBasic.All

Sample relevant endpoints that require these scopes:

• GET /me

• GET /users/{id | userPrincipalName}

• GET /users

We use information enabled by these scopes to populate information about users, such as names and email addresses.

Sites.Search.All

Sample relevant endpoints that require these scopes:

• GET /sites?search={query}

We use information enabled by these scopes to search for SharePoint sites using specific keywords. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

Files.ReadWrite, Files.ReadWrite.All, Files.ReadWrite.All

Sample relevant endpoints that require these scopes:

• POST /drives/{drive-id}/items/{parent-item-id}/children

• POST /groups/{group-id}/drive/items/{parent-item-id}/children

• POST /me/drive/items/{parent-item-id}/children

• POST /sites/{site-id}/drive/items/{parent-item-id}/children

• POST /users/{user-id}/drive/items/{parent-item-id}/children

We use information enabled by these scopes to read and create files and folders.

Sites.Manage.All, Sites.ReadWrite.All

Sample relevant endpoints that require these scopes:

• https://learn.microsoft.com/en-us/graph/api/resources/site?view=graph-rest-1.0

We use information enabled by these scopes to read and write items in site collections. These scopes also enable us to populate information about permissions such as the group that is granted permission, which permissions are enabled, and what type of people have access to the file. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

Dropbox

User account (read-only)

• account_info.read

• files.metadata.read

• files.content.read

• sharing.read

User account (read and write)

• account_info.read

• files.metadata.read

• files.metadata.write

• files.content.read

• files.content.write

• sharing.read

• sharing.write

Admin account (read-only)

• account_info.read

• files.metadata.read

• files.content.read

• sharing.read

• team_info.read

• team_data.member

• team_data.governance.read

• team_date.content.read

• files.team_metadata.read

• members.read

• groups.read

• events.read

Admin read and write

• account_info.read

• files.metadata.read

• files.metadata.write

• files.content.read

• files.content.write

• sharing.read

• sharing.write

• team_info.read

• team_data.member

• team_data.governance.read

• team_data.governance.write

• team_data.content.read

• team_data.content.write

• files.team_metadata.read

• files.team_metadata.write

• members.read

• groups.read

• events.read

Scopes used may differ from the default because Dropbox requires all integrations to specify specific scopes. Please check the linking flow to see what permissions are being requested for your integration.

Why each scope is needed:

Default permissions (not configurable, applies to all OAuth apps)

• account_info.read: View basic information about your Dropbox account such as your username, email, and country

• files.metadata.read: View information about your Dropbox files and folders

• sharing.read: View your Dropbox sharing settings and collaborators

Additional permissions

• files.metadata.write: View and edit information about your Dropbox files and folders

  • Used for POST /files/properties/add

• files.content.write: Edit content of your Dropbox files and folders

  • Used for POST /files/upload

• files.content.read: View content of your Dropbox files and folders

  • Used for POST /files/download

• sharing.write: View and manage your Dropbox sharing settings and collaborators

  • Used for POST /files/properties/add

Box

User account (read and write)

• root_readonly

• root_readwrite

• manage_managed_users

• manage_groups

• manage_webhook

Admin (read and write)

• root_readonly

• root_readwrite

• manage_managed_users

• manage_groups

• manage_webhook

Why each scope is needed:

root_readonly

• To read files and folders stored in Box.

manage_managed_users

• Manage users. Gives an application permission to manage Managed Users.

• Although this allows an application manage users, for client-side applications, the Access Token used must be associated with an Admin or Co-Admin with the correct permissions.

manage_groups

• Gives an application permission to manage an enterprise's groups. It allows the app to create, update, and delete groups, as well as manage group membership.

• Although this allows an application manage groups, for client-side applications, the Access Token used must be associated with an Admin Co-Admin with the correct permissions.

root_readwrite

• Gives an application write access for the authenticated user. This allows the application to upload files or new file versions, download content, create new folders, update or delete collaborations, create comments or tasks, and more.

• Although this gives an application read/write access to items, the user making the API call needs to have access to the content.

manage_webhook

• Gives an application permission to create webhooks for a user. Please review webhook limitations. Most notably, there is a limit of 1000 webhooks per application, per user.