platform app issues: users and as-user

[kennyparsons]

• [X] I have checked that the [SDK documentation][sdk-docs] doesn't solve my issue.
• [X] I have checked that the [API documentation][api-docs] doesn't solve my issue.
• [X] I have searched the [Box Developer Forums][dev-forums] and my issue isn't already reported (or if it has been reported, I have attached a link to it, for reference).
• [X] I have searched [Issues in this repo][github-repo] and my issue isn't already reported.

Description of the Issue

I am working with a platform application authorized with the app access level set to App Access Only. The application has the following scopes: read, write, and manage users, and I have enabled the advanced feature to make API calls using the as-user header.

I am authenticating using the client credentials grant flow, and the application is successfully authorized and approved. My ultimate goal is to use Python to manage collaborations and download files from our Box tenant. However, I am encountering issues with the following:

1. When I attempt to list users using client.users.get_users(), it consistently returns no users, even though my app has manage users scope and the advanced as-user header feature is enabled.
2. I am unclear on the correct way to use the as-user header or impersonate users (e.g., an admin or managed user) to programmatically manage collaborators and perform actions on behalf of other users.

I know I am successfully authenticated because I can retrieve the current user, which shows the name of the platform application. However, I am stuck on retrieving all user IDs and impersonating users programmatically using the SDK.

Steps to Reproduce

1. Create a platform application with App Access Only access level and scopes: read, write, and manage users.
2. Enable the advanced feature to make API calls using the as-user header.
3. Authenticate using the client credentials grant flow and the Box Python SDK Gen.
4. Attempt to list users using client.users.get_users() and observe that the result has no users.
5. Attempt to use the as-user header to impersonate a user but fail to understand the correct method or see desired results (I am unclear on how to do this step).

Expected Behavior

• Listing users with client.users.get_users() should return a list of all users visible to the service account.
• Using the as-user header to impersonate a user should allow performing actions on their behalf (TBD)

Error Message, Including Stack Trace

No specific error is raised, but the client.users.get_users() method returns an empty list of users.

Screenshots

N/A

Versions Used

Python SDK: box_sdk_gen==1.7.0 Python Version: 3.12.4

[congminh1254]

Hi @kennyparsons

I believe that if you want to use "Make API calls using the as-user header" or "Generate user access tokens", you will need to have "App + Enterprise Access" for the App Access Level.

You can try the function client.users.get_user_me() to see if the as-user is working correctly for your request. As I tested, if App Access Level is "App Access Only" but use as-user header, I got error 403 with message Authorization Failed

Bests, Minh

[kennyparsons]

can you share your snippet to use the as-user header in python? I have yet to figure it out.

[congminh1254]

Here is my code snippet:

ccg_config = CCGConfig("APP ID", "APP Secret", enterprise_id="EID")
auth = BoxCCGAuth(config=ccg_config)
client = BoxClient(auth=auth)
service_account = client.users.get_user_me()
print(f"Service Account user ID is {service_account.id}")

# Use as-user header
client = client.with_as_user_header("USER ID")
user_account = client.users.get_user_me()
print(f"User Account user ID is {user_account.id}")

This code is not working with App Access Only but App + Enterprise Access.