The document outlines application access and the associated concerns, including user types, content types, and default scopes for managing data. It details various capabilities enabled by different scopes such as managing users, groups, webhooks, and enterprise properties. Additionally, it discusses advanced features for JWT applications, which allow for user actions and token management without traditional OAuth flows.

2. Application Access

4. 4
Concern Areas:
Type of Users
Types of Content
Default Scopes
Type of Users: Will you be working with users
within an entire enterprise, or just the app?
Types of Content: Do you need to access and
manage data within the enterprise?
Default Scopes: Read / Write (A,E), Manage
Users (A,E), Manage Groups (A,E), Manage
Enterprise Properties (E).

6. Application Scopes

8. Scope Name: root_readwrite
Capabilities:
• Upload / view / download / update file
versions.
• Create / edit / delete collaborations,
tags, tasks, comments, @mentions,
task assignments, notifications, and
collections.
• View enterprise profile information.
8

9. 9
Scope Name: manage_managed_users
Capabilities:
• Subset of manage enterprise scope
• Add / view / edit / delete / activate /
disable Box users.
• Change primary login, reset password,
change role for managed user and
enterprise content.

10. 10
Scope Name: manage_app_users
Capabilities:
• Allows application to provision and
manage its own app users.
• Add / view / edit / delete / activate /
disable app users.

11. 11
Scope Name: manage_groups
Capabilities:
• Subset of manage an enterprise scope
• View / create / edit / delete groups and
group memberships for all users.

12. 12
Scope Name: manage_webhook
Capabilities:
• Allows your app to programmatically
control webhooks.
• Create / fetch / update / delete new or
existing webhooks.

13. 13
Scope Name:
manage_enterprise_properties
Capabilities:
• Subset of the manage an enterprise
scope.
• View and edit enterprise attributes
and reports, edit and delete device
pinners (what devices can use
native Box applications).

14. 14
Scope Name: manage_data_retention
Capabilities:
• View, create, and fetch content
retention policies with Box
Governance.

15. Advanced Application Features (JWT)

17. Purpose: Perform actions on behalf of
another user.
Capabilities:
• Needed for full SDK functionality
for user actions (As-User header)
• Allows you to properly manage
users, their content, and actions.
17

18. 18
Purpose: For JWT applications,
create individual OAuth 2 tokens for
users.
Capabilities:
• Needed for full SDK functionality
for JWT application user actions.
• Allows you to bypass the need for
credentials in the typical OAuth 3-
legged flow.

19. Authorization and Applications