Hello everyone.

I'm developing a Box app, authenticated using JWT, that will need to be restricted to certain folders created by other federated users within our enterprise. When selecting the application scopes, I view that it has: "read/write all folders" and "read all folders". Does this mean that it has access to all user-created files and folders, or that it only has access to read/write all files and folders that it created?

I understand that a service account is created with the box app, so, to restrict access, are we only required to add the service account as a collaborator to specific folders? Or, do read/write all folders mean I must pursue something further such as downscoping to achieve the goal that I want?

For example:

scopes = s'base_upload', 'item_delete']

folder_ids = s'***phone number removed for privacy***', '***number removed for privacy***41']



for id in folder_ids:

    resource = client.folder(folder_id=id)

    client.downscope_token(scopes, item=resource)

Also, if I must downscope, is that the proper scopes to allow for my application to upload content and delete items within those parent folders and subfolders? Or, is this step not necessary since I must add the app as a collaborator anyways in order for it to access those folders?

Any clarification would be greatly appreciated!