Data security apps integrate with several different cloud providers via Kloudless, enabling them to offer solutions such as Data Loss Prevention across multiple content repositories without having to learn the ins-and-outs of each one.

Security-oriented apps commonly need to identify malicious or compromised files or objects. For example, by scanning through all content in a cloud storage tenant via admin account privileges. Once identified, the app can then “quarantine” the threat by moving it out of reach to an isolated location. A lot of the time, that secure location is simply within an administrator account in the cloud service itself. This lets the DLP app preserve important information such as the file’s version history, its original creator, links to the file, and more.

However, quarantine functionality isn’t straightforward to implement a lot of the time. Consider Box, for example. The Box API docs make no mention of moving a file across users via an admin account. The straightforward implementation would be to download the file impersonating the user and then upload it to the admin user’s account. This destroys all version history, however.

Fortunately, file collaboration permissions provide a simpler mechanism to achieve this functionality.

Transferring Files via Shared Folders

Shared folders present one solution to preserve file history. First, the developer app impersonates the user whose file needs to be removed and creates a folder (Box docs) to share with the admin:

curl -X POST https://api.box.com/2.0/folders \<br>    -H "Authorization: Bearer ACCESS_TOKEN" \<br>    -H "Box-Notifications: off" -H "As-User: USER_ID" \<br>    -d '{"name":"temp", "parent": {"id": "0"}}'

We use the As-User header to impersonate the user. The Box-Notifications:off header prevents Box from notifying users of this background activity.

The app continues to impersonate the user to make the admin user a co-owner of the new folder (Box docs):

curl -X POST https://api.box.com/2.0/collaborations \<br>    -H "Authorization: Bearer ACCESS_TOKEN" \<br>    -H "Box-Notifications: off" -H "As-User: USER_ID" \<br>    -d '{<br>        "item": {<br>            "id": "FOLDER_ID",<br>            "type": "folder"<br>         },<br>         "accessible_by": {<br>             "id": "USER_ID",<br>             "type": "user"<br>         },<br>         "role": "co-owner"<br>    }'

Note that if the admin user is not set up to automatically accept collaborations, the app must also update the collaboration (Box docs) with {'status': 'accepted'} as the admin to accept the pending collaboration.

The app then moves the file to the shared folder as the user and moves it out of the shared folder as the admin. Here’s the API request to move the file out of the shared folder (Box docs):

curl -X PUST https://api.box.com/2.0/files/FILE_ID \<br>    -H "Authorization: Bearer ACCESS_TOKEN" \<br>    -H "Box-Notifications: off" -H "As-User: ADMIN_USER_ID" \<br>    -d '{"parent": {"id": "FOLDER_ID"}}'

The app then deletes the folder (Box docs) while impersonating the user that created it:

curl https://api.box.com/2.0/folders/FOLDER_ID?recursive=true \<br>    -X DELETE -H "Authorization: Bearer ACCESS_TOKEN" \<br>    -H "Box-Notifications: off" -H "As-User: USER_ID"<br>

The admin user, or any other destination, now has access to the original file.

This approach works with several other cloud storage services as well, such as Dropbox and Google Drive. Some cloud providers may include more straightforward ways to transfer files, such as OneDrive for Business.