Overview
Each file storage integration requires specific scopes for varying levels of access, such as read-only, read-write, and administrative permissions. The scopes enable actions like viewing, editing, creating, and managing files and folders, user information, groups, and collaborations within the respective cloud storage platforms. This article explains the necessity of each scope and the types of operations they facilitate.
Google Drive
Read-only for non admins
We use information enabled by this scope to populate file and folder metadata information, such as descriptions, the drive the file or folder belongs to, file thumbnails and URLs, file and folder names, and file mime types. With selective sync enabled, we’ll only process the files, folders and drives that the end user would like to have synced.
We also use this scope to show the list of files, folders and drives to select from in the file picker UI.
This is required to view and download Drive files - example endpoints:
Read-only for admins
Scopes
We use information enabled by these scopes to populate group information, such as the name of the group and the users which belong in the group.
Required, to view groups on your domain. Scope for only retrieving group, group alias, and member information. Sample relevant endpoints that require this scope:
Read and write for admins
We use the information enabled by this scope to perform create operations in Google Drive; for example, creating a folder or file in the Google Drive instance.
Required to be able to see, edit, create, and delete Google Drive files - example endpoint: POST drive/v3/files.
Sharepoint
Requested app scopes
Admin Read Only
Microsoft Graph
Files.Read: Read user filesFiles.Read.All: Read all files that user can accessFiles.Read.All: Read files in all site collectionsGroup.Read.All: Read all groupsGroup.Read.All: Read all groupsGroupMember.Read.All: Read group membershipsGroupMember.Read.All: Read all group membershipsSites.Read.All: Read items in all site collectionsSites.Read.All: Read items in all site collectionsUser.Read: Read all users' full profilesUser.Read.All: Read all users' full profiles
SharePoint
Sites.Search.All: Run search queries as a user
Admin Read and Write
Microsoft Graph
Files.Read: Read user filesFiles.Read.All: Read all files that user can accessFiles.ReadWrite: Have full access to user filesFiles.ReadWrite.All: Have full access to all files user can accessFiles.ReadWrite.All: Read and write files in all site collectionsGroup.Read.All: Read all groupsGroup.Read.All: Read all groupsGroupMember.Read.All: Read group membershipsGroupMember.Read.All: Read all group membershipsSites.Manage.All: Create, edit, and delete items and lists in all site collectionsSites.ReadWrite.All: Edit or delete items in all site collectionsUser.Read: Sign in and read user profileUser.Read.All: Read all users' full profiles
Non-Admin Read Only
Microsoft Graph
Files.Read.All: Read all files that user can accessSites.Read.All: Read items in all site collectionsUser.Read: Sign in and read user profileUser.ReadBasic.All: Read all users' basic profiles
Why each scope is needed
Refer to Microsoft’s permissions reference for an in-depth explanation as to why we need each requested scope. Also, see the attached screenshots at the bottom of the article for a description of each requested scope.
Explanation of differences between delegated and application permissions.
Files.Read, Files.Read.All, Files.Read.All
Sample relevant endpoint that requires these scopes:
We use information enabled by these scopes to read files and folders that a user has access to. This enables us to populate file and folder information, such as descriptions, the drive the file or folder belongs to, file thumbnails and URLs, file and folder names, and file mime types. Note that, with selective sync enabled, we’ll only process the files, folders and drives that the end user would like to have synced.
We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.
Group.Read.All, Group.Read.All, GroupMember.Read.All, GroupMember.Read.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to populate group information, such as the name of the group and the users which belong in the group.
Sites.Read.All, Sites.Read.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to surface sites and populate file and folder information in sites that the user has access to. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.
User.Read, User.Read.All, User.ReadBasic.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to populate information about users, such as names and email addresses.
Sites.Search.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to search for SharePoint sites using specific keywords. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.
Files.ReadWrite, Files.ReadWrite.All, Files.ReadWrite.All
Sample relevant endpoints that require these scopes:
POST /drives/{drive-id}/items/{parent-item-id}/children
POST /groups/{group-id}/drive/items/{parent-item-id}/children
POST /me/drive/items/{parent-item-id}/children
POST /sites/{site-id}/drive/items/{parent-item-id}/children
POST /users/{user-id}/drive/items/{parent-item-id}/children
We use information enabled by these scopes to read and create files and folders.
Sites.Manage.All, Sites.ReadWrite.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to read and write items in site collections. These scopes also enable us to populate information about permissions such as the group that is granted permission, which permissions are enabled, and what type of people have access to the file. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.
OneDrive
Requested app scopes
Read and Write
Microsoft Graph
Files.Read: Read user filesFiles.Read.All: Read all files that user can accessFiles.ReadWrite: Have full access to user filesFiles.ReadWrite.All: Read and write files in all site collectionsGroup.Read.All: Read all groupsGroupMember.Read.All: Read all group membershipsUser.Read: Sign in and read user profileUser.Read.All: Read all users' full profiles
Read Only
Microsoft Graph
Files.Read.All: Read all files that user can accessGroup.Read.All: Read all groupsGroupMember.Read.All: Read group membershipsUser.Read: Sign in and read user profileUser.ReadBasic.All: Read all users' full profiles
Why each scope is needed
Refer to Microsoft’s permissions reference for an in-depth explanation as to why we need each requested scope. Also see attached screenshots below for a description of each requested scope.
Explanation of differences between delegated and application permissions.
Files.Read, Files.Read.All, Files.Read.All
Sample relevant endpoint that requires these scopes:
We use information enabled by these scopes to read files and folders that a user has access to. This enables us to populate file and folder information, such as descriptions, the drive the file or folder belongs to, file thumbnails and URLs, file and folder names, and file mime types. Note that, with selective sync enabled, we’ll only process the files, folders and drives that the end user would like to have synced.
We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.
Group.Read.All, Group.Read.All, GroupMember.Read.All, GroupMember.Read.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to populate group information, such as the name of the group and the users which belong in the group.
Sites.Read.All, Sites.Read.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to surface sites and populate file and folder information in sites that the user has access to. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.
User.Read, User.Read.All, User.ReadBasic.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to populate information about users, such as names and email addresses.
Sites.Search.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to search for SharePoint sites using specific keywords. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.
Files.ReadWrite, Files.ReadWrite.All, Files.ReadWrite.All
Sample relevant endpoints that require these scopes:
POST /drives/{drive-id}/items/{parent-item-id}/children
POST /groups/{group-id}/drive/items/{parent-item-id}/children
POST /me/drive/items/{parent-item-id}/children
POST /sites/{site-id}/drive/items/{parent-item-id}/children
POST /users/{user-id}/drive/items/{parent-item-id}/children
We use information enabled by these scopes to read and create files and folders.
Sites.Manage.All, Sites.ReadWrite.All
Sample relevant endpoints that require these scopes:
We use information enabled by these scopes to read and write items in site collections. These scopes also enable us to populate information about permissions such as the group that is granted permission, which permissions are enabled, and what type of people have access to the file. We also use these scopes to show the list of files, folders and drives to select from in the file picker UI.
Dropbox
Requested app scopes
For the default OAuth app
account_info.read
files.metadata.read
sharing.read
files.metadata.write
files.content.write
files.content.read
sharing.write
Scopes used may differ from the default because Dropbox requires all integrations to specify specific scopes. Please check the linking flow to see what permissions are being requested for your integration.
Why each scope is needed
Default permissions (not configurable, applies to all OAuth apps)
account_info.read: View basic information about your Dropbox account such as your username, email, and country
files.metadata.read: View information about your Dropbox files and folders
sharing.read: View your Dropbox sharing settings and collaborators
Additional permissions
files.metadata.write: View and edit information about your Dropbox files and folders
Used for POST /files/properties/add
files.content.write: Edit content of your Dropbox files and folders
Used for POST /files/upload
files.content.read: View content of your Dropbox files and folders
Used for POST /files/download
sharing.write: View and manage your Dropbox sharing settings and collaborators
Used for POST /files/properties/add
Box
Requested app scopes
Non-Admin
manage_managed_users
manage_groups
Admin
root_readonly
root_readwrite
manage_managed_users
manage_groups
manage_webhook
Why each scope is needed
To read files and folders stored in Box.
manage_managed_users
Manage users. Gives an application permission to manage Managed Users.
Although this allows an application manage users, for client-side applications, the Access Token used must be associated with an Admin or Co-Admin with the correct permissions.
manage_groups
Gives an application permission to manage an enterprise's groups. It allows the app to create, update, and delete groups, as well as manage group membership.
Although this allows an application manage groups, for client-side applications, the Access Token used must be associated with an Admin Co-Admin with the correct permissions.
root_readwrite
Gives an application write access for the authenticated user. This allows the application to upload files or new file versions, download content, create new folders, update or delete collaborations, create comments or tasks, and more.
Although this gives an application read/write access to items, the user making the API call needs to have access to the content.
manage_webhook
Gives an application permission to create webhooks for a user. Please review webhook limitations. Most notably, there is a limit of 1000 webhooks per application, per user.