There are several different types of user accounts available in the Box Object Model that can be used to support a variety of use cases.
The admin account for your Box Enterprise is also the overall owner of your Box Enterprise. An admin account is granted access to manage some resources within a Box Enterprise that a managed user cannot. For example, a Box Admin can manage Groups, Users, Metadata Templates, as well as various Enterprise-level settings.
Some custom applications, integrations, and Box Marketplace offerings will require that you sign in using the admin credentials during the OAuth2 authentication process. Usually, this need comes from elevated access requirements to resources in your Enterprise, such as monitoring your Enterprise event logs or creating a new group. A practical example of an application needing elevated privileges are the various CASB and security applications available on the Box Marketplace. Usually, these types of applications monitor the Enterprise event log to take action on various events and thus need admin level access.
Box Admin for Developer Accounts
When creating a Developer Account with an email address that is not associated with an existing Box Enterprise, a brand new Box Enterprise is created. The Box Admin for this new Enterprise will also use the email address you use when creating your Developer Account.
A managed user is a Box account that exists within a specific Box Enterprise. Managed users take up seats in a Box Enterprise and are generally how employees of a company log in to use Box within the company's Enterprise. Box Managed Users take up seats within a Box Enterprise.
A managed user's account is inaccessible via the API with JWT-based custom applications unless you specifically select specific configuration settings for your Box application.
An External User is a Box user that has been invited to collaborate on content in a Managed User's Box account via a collaboration invitation. This user has a Box account, however, it belongs to a different Box Enterprise than that of a Managed User. External Users listed in the Box Admin Console do not belong to your Box Enterprise. You cannot create or manage External Users via the API.
A service account is created inside a Box Enterprise when you authorize a custom JWT-based Box application.
A service account user is a special type of user that accesses Box only via the API. The service account user's permissions can vary based on what scopes you assign to your custom application, but it's most useful to consider the service account user either as a co-admin in an Enterprise or as the account to manage App Users in a JWT-based custom application.
The service account associated to a Box View applications has some additional restrictions that a service account within JWT-based custom application does not.
- All content used within the Box View application must be uploaded and owned by this service account and the service account cannot access any other user or any other user's content.
- This service account is also unable to create any type of new user.
- This service account can only access a subset of APIs related to previewing content.
- Generally, this service account is used to upload content to view and create special downscoped tokens that can be used to view the uploaded content.
An app user is a special account created when developing custom applications on Box Platform. An app user has no login credentials and can only access Box via the API. App users are managed by service accounts and admin accounts.