When making API calls to various objects, the following error can be returned in the response:
This error comes from the way that Box checks for permissions. For any action taken via the API, Box checks the following:
- The permissions of the user who owns the access token
- The permissions/scopes of the application
If one of these checks returns insufficient permissions, then the error will be returned. This list is not exhaustive. Box has many access control options available, so please refer to specific details of the API call.
Box Platform - API Calls to Box via a custom application
User does not have permission to perform the requested action.
Step 1: Check that the user has permission to do the task. The easiest way to check is to see whether the same action can be done via the Web App. For example:
- If attempting to use the 'As-User' header with another user, check if you can use the 'Log in as this user' option via the administrator console. In this example, common situations are users not having co-admin permissions, co-admins trying to as-user as another co-admin, or co-admins trying to as-user as the primary admin.
- If attempting to use an advanced feature like Legal Holds, the enterprise must have access to the feature.
- You cannot add a collaborator to your root folder.
NOTE: Co-admins do not have permission to manage other co-admin accounts.
Step 2: Check that the application has permission to do the task by looking at the scopes enabled for the application. There are potentially two places to check:
- Standard and Server Authentication: The Configuration page for the app on the Developer Console.
- Server Authentication Only: The App's Authorization in the enterprise via Admin Console > Business/Enterprise settings > Apps > Custom Application > View App Authorization.
- When admins authorize a Server Auth app in the admin console, the authorization for the app is the set of scopes the app has at the time that it was authorized. If the scopes change after the app was originally authorized, the app must be reauthorized for the changes to take effect in the enterprise (admin has to effectively "approve" changes in the app's scopes).
E.g., If making a call to the /users endpoint, "manage users" must be enabled.
If you need further assistance, please file a ticket with Box User Services.