All Collections
Best Practice Guides
File Storage
Why are specific scopes needed for File Storage integrations?
Why are specific scopes needed for File Storage integrations?

An overview of the app scopes we request for File Storage integrations and how each are used

Amy Leung avatar
Written by Amy Leung
Updated over a week ago

Overview

Each file storage integration requires specific scopes for varying levels of access, such as read-only, read-write, and administrative permissions. The scopes enable actions like viewing, editing, creating, and managing files and folders, user information, groups, and collaborations within the respective cloud storage platforms. This article explains the necessity of each scope and the types of operations they facilitate.

Google Drive

Requested app scopes

Why each scope is needed

https://www.googleapis.com/auth/drive.readonly: required, in order to view and download Drive files. Sample relevant endpoints that require this scope:

We use information enabled by this scope to populate file and folder metadata information, such as descriptions, the drive the file or folder belongs to, file thumbnails and URLs, file and folder names, and file mime types. With selective sync enabled, we’ll only process the files, folders and drives that the end user would like to have synced.

We also use this scope to show the list of files, folders and drives to select from in the file picker UI.

https://www.googleapis.com/auth/admin.directory.group.readonly: required, to view groups on your domain. Scope for only retrieving group, group alias, and member information. Sample relevant endpoints that require this scope:

We use information enabled by this scope to populate group information, such as the name of the group and the users which belong in the group.

https://www.googleapis.com/auth/drive: required to be able to see, edit, create, and delete Google Drive files. Sample relevant endpoint that requires this scope:

We use information enabled by this scope to perform create operations in Google Drive; for example, creating a folder or file in the Google Drive instance.

Sharepoint

Requested app scopes

  • Admin Read Only

    • Microsoft Graph

      • Files.Read: Read user files

      • Files.Read.All: Read all files that user can access

      • Files.Read.All: Read files in all site collections

      • Group.Read.All: Read all groups

      • Group.Read.All: Read all groups

      • GroupMember.Read.All: Read group memberships

      • GroupMember.Read.All: Read all group memberships

      • Sites.Read.All: Read items in all site collections

      • Sites.Read.All: Read items in all site collections

      • User.Read: Read all users' full profiles

      • User.Read.All: Read all users' full profiles

    • SharePoint

      • Sites.Search.All: Run search queries as a user

  • Admin Read and Write

    • Microsoft Graph

      • Files.Read: Read user files

      • Files.Read.All: Read all files that user can access

      • Files.ReadWrite: Have full access to user files

      • Files.ReadWrite.All: Have full access to all files user can access

      • Files.ReadWrite.All: Read and write files in all site collections

      • Group.Read.All: Read all groups

      • Group.Read.All: Read all groups

      • GroupMember.Read.All: Read group memberships

      • GroupMember.Read.All: Read all group memberships

      • Sites.Manage.All: Create, edit, and delete items and lists in all site collections

      • Sites.ReadWrite.All: Edit or delete items in all site collections

      • User.Read: Sign in and read user profile

      • User.Read.All: Read all users' full profiles

  • Non-Admin Read Only

    • Microsoft Graph

      • Files.Read.All: Read all files that user can access

      • Sites.Read.All: Read items in all site collections

      • User.Read: Sign in and read user profile

      • User.ReadBasic.All: Read all users' basic profiles

Why each scope is needed

Refer to Microsoft’s permissions reference for an in-depth explanation as to why we need each requested scope. Also, see the attached screenshots at the bottom of the article for a description of each requested scope.

Explanation of differences between delegated and application permissions.

Files.Read, Files.Read.All, Files.Read.All

Sample relevant endpoint that requires these scopes:

We use information enabled by these scopes to read files and folders that a user has access to. This enables us to populate file and folder information, such as descriptions, the drive the file or folder belongs to, file thumbnails and URLs, file and folder names, and file mime types. Note that, with selective sync enabled, we’ll only process the files, folders and drives that the end user would like to have synced.

We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

Group.Read.All, Group.Read.All, GroupMember.Read.All, GroupMember.Read.All

Sample relevant endpoints that require these scopes:

We use information enabled by these scopes to populate group information, such as the name of the group and the users which belong in the group.

Sites.Read.All, Sites.Read.All

Sample relevant endpoints that require these scopes:

We use information enabled by these scopes to surface sites and populate file and folder information in sites that the user has access to. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

User.Read, User.Read.All, User.ReadBasic.All

Sample relevant endpoints that require these scopes:

We use information enabled by these scopes to populate information about users, such as names and email addresses.

Sites.Search.All

Sample relevant endpoints that require these scopes:

We use information enabled by these scopes to search for SharePoint sites using specific keywords. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

Files.ReadWrite, Files.ReadWrite.All, Files.ReadWrite.All

Sample relevant endpoints that require these scopes:

  • POST /drives/{drive-id}/items/{parent-item-id}/children

  • POST /groups/{group-id}/drive/items/{parent-item-id}/children

  • POST /me/drive/items/{parent-item-id}/children

  • POST /sites/{site-id}/drive/items/{parent-item-id}/children

  • POST /users/{user-id}/drive/items/{parent-item-id}/children

We use information enabled by these scopes to read and create files and folders.

Sites.Manage.All, Sites.ReadWrite.All

Sample relevant endpoints that require these scopes:

We use information enabled by these scopes to read and write items in site collections. These scopes also enable us to populate information about permissions such as the group that is granted permission, which permissions are enabled, and what type of people have access to the file. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

OneDrive

Requested app scopes

  • Read and Write

    • Microsoft Graph

      • Files.Read: Read user files

      • Files.Read.All: Read all files that user can access

      • Files.ReadWrite: Have full access to user files

      • Files.ReadWrite.All: Have full access to all files user can access

      • Files.ReadWrite.All: Read and write files in all site collections

      • Group.Read.All: Read all groups

      • Group.Read.All: Read all groups

      • GroupMember.Read.All: Read group memberships

      • GroupMember.Read.All: Read all group memberships

      • User.Read: Sign in and read user profile

      • User.Read.All: Read all users' full profiles

      • User.Read.All: Read all users' full profiles

  • Read Only

    • Microsoft Graph

      • Files.Read.All: Read all files that user can access

      • Group.Read.All: Read all groups

      • GroupMember.Read.All: Read group memberships

      • User.Read: Sign in and read user profile

      • User.ReadBasic.All: Read all users' full profiles

Why each scope is needed

Refer to Microsoft’s permissions reference for an in-depth explanation as to why we need each requested scope. Also see attached screenshots below for a description of each requested scope.

Explanation of differences between delegated and application permissions.

Files.Read, Files.Read.All, Files.Read.All

Sample relevant endpoint that requires these scopes:

We use information enabled by these scopes to read files and folders that a user has access to. This enables us to populate file and folder information, such as descriptions, the drive the file or folder belongs to, file thumbnails and URLs, file and folder names, and file mime types. Note that, with selective sync enabled, we’ll only process the files, folders and drives that the end user would like to have synced.

We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

Group.Read.All, Group.Read.All, GroupMember.Read.All, GroupMember.Read.All

Sample relevant endpoints that require these scopes:

We use information enabled by these scopes to populate group information, such as the name of the group and the users which belong in the group.

Sites.Read.All, Sites.Read.All

Sample relevant endpoints that require these scopes:

We use information enabled by these scopes to surface sites and populate file and folder information in sites that the user has access to. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

User.Read, User.Read.All, User.ReadBasic.All

Sample relevant endpoints that require these scopes:

We use information enabled by these scopes to populate information about users, such as names and email addresses.

Sites.Search.All

Sample relevant endpoints that require these scopes:

We use information enabled by these scopes to search for SharePoint sites using specific keywords. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

Files.ReadWrite, Files.ReadWrite.All, Files.ReadWrite.All

Sample relevant endpoints that require these scopes:

  • POST /drives/{drive-id}/items/{parent-item-id}/children

  • POST /groups/{group-id}/drive/items/{parent-item-id}/children

  • POST /me/drive/items/{parent-item-id}/children

  • POST /sites/{site-id}/drive/items/{parent-item-id}/children

  • POST /users/{user-id}/drive/items/{parent-item-id}/children

We use information enabled by these scopes to read and create files and folders.

Sites.Manage.All, Sites.ReadWrite.All

Sample relevant endpoints that require these scopes:

We use information enabled by these scopes to read and write items in site collections. These scopes also enable us to populate information about permissions such as the group that is granted permission, which permissions are enabled, and what type of people have access to the file. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.

Dropbox

Requested app scopes

  • For the default OAuth app

    • account_info.read

    • files.metadata.read

    • sharing.read

    • files.metadata.write

    • files.content.write

    • files.content.read

    • sharing.write

Scopes used may differ from the default because Dropbox requires all integrations to specify specific scopes. Please check the linking flow to see what permissions are being requested for your integration.

Why each scope is needed

Default permissions (not configurable, applies to all OAuth apps)

  • account_info.read: View basic information about your Dropbox account such as your username, email, and country

  • files.metadata.read: View information about your Dropbox files and folders

  • sharing.read: View your Dropbox sharing settings and collaborators

Additional permissions

Box

Requested app scopes

  • Non-Admin

  • Admin

    • root_readonly

    • root_readwrite

    • manage_managed_users

    • manage_groups

    • manage_webhook

Why each scope is needed

root_readonly

  • To read files and folders stored in Box.

manage_managed_users

  • Manage users. Gives an application permission to manage Managed Users.

  • Although this allows an application manage users, for client-side applications, the Access Token used must be associated with an Admin or Co-Admin with the correct permissions.

manage_groups

  • Gives an application permission to manage an enterprise's groups. It allows the app to create, update, and delete groups, as well as manage group membership.

  • Although this allows an application manage groups, for client-side applications, the Access Token used must be associated with an Admin Co-Admin with the correct permissions.

root_readwrite

  • Gives an application write access for the authenticated user. This allows the application to upload files or new file versions, download content, create new folders, update or delete collaborations, create comments or tasks, and more.

  • Although this gives an application read/write access to items, the user making the API call needs to have access to the content.

manage_webhook

  • Gives an application permission to create webhooks for a user. Please review webhook limitations. Most notably, there is a limit of 1000 webhooks per application, per user.

Related Articles
File Storage Expectations
File Export and Download Specification
How can I access the Rippling integration?
Did this answer your question?