AWS amazonq high security documentation change
Summary
Updated Box connector documentation to detail role/permission mappings, permission inheritance rules, identity crawling behavior, and failure handling mechanisms
Security assessment
The changes explicitly describe security controls including permission inheritance, fail-close approach for API failures, and document skipping during permission issues. These mechanisms prevent unauthorized access to documents, indicating direct security relevance.
Diff
diff --git a/amazonq/latest/qbusiness-ug/box-user-management.md b/amazonq/latest/qbusiness-ug/box-user-management.md index 6b30ac4bb..13eb4fc33 100644 --- a//amazonq/latest/qbusiness-ug/box-user-management.md +++ b//amazonq/latest/qbusiness-ug/box-user-management.md @@ -11 +11 @@ Amazon Q Business supports crawling ACLs for document security by default. -When you connect an Box data source to Amazon Q Business, Amazon Q Business crawls ACL information attached to a document (user and group information) from your Box instance. If you choose to activate ACL crawling, the information can be used to filter chat responses to your end user's document access level. +**Roles/permissions** : The Box connector translates Box permissions into ACLs that are compatible with Amazon Q Business. There are seven primary roles with permissions: @@ -13 +13 @@ When you connect an Box data source to Amazon Q Business, Amazon Q Business craw - * `_group_ids`—Group IDs exist in Box on files where there are set access permissions. They are mapped from the names of the groups in Box. + * Co-owner - Has full control, can change advanced folder settings @@ -15 +15 @@ When you connect an Box data source to Amazon Q Business, Amazon Q Business craw - * `_user_id`—User IDs exist in Box on files where there are set access permissions. They are mapped from the user emails as the user IDs in Box. + * Editor - Has read/write access, can view, download, edit, delete, and manage sharing. @@ -16,0 +17 @@ When you connect an Box data source to Amazon Q Business, Amazon Q Business craw + * Viewer - Has read-only access, can preview and download @@ -17,0 +19 @@ When you connect an Box data source to Amazon Q Business, Amazon Q Business craw + * Uploader - Has limited write access, can only upload and see names @@ -18,0 +21 @@ When you connect an Box data source to Amazon Q Business, Amazon Q Business craw + * Viewer Uploader - A combination of Viewer and Uploader capabilities @@ -20 +23 @@ When you connect an Box data source to Amazon Q Business, Amazon Q Business craw -For more information, see: + * Previewer - Has limited read access, can only preview items @@ -22 +25 @@ For more information, see: - * [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) + * Previewer Uploader - A combination of Previewer and Uploader capabilities @@ -24 +26,0 @@ For more information, see: - * [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler) @@ -26 +27,0 @@ For more information, see: - * [Understanding User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) @@ -28,0 +30 @@ For more information, see: +**Permission Inheritance** : Files/subfolders inherit permissions from parent folders by default. Permissions follow a "waterfall" design where individuals have access to the folder they are invited into and any subfolders beneath it. Changing permissions on subfolders will result in an error because collaboration is only changeable at the item where it was created. @@ -29,0 +32,7 @@ For more information, see: +**Identity Crawling** : Individual user and group synchronization is supported via email addresses. Each user gets a unique user ID, even if recreated with the same email address. Permissions are tied to user IDs, not email addresses. + +Change Management: ACL changes are supported in change log mode, including collaboration invites, accepts, and role changes. + +Failure handling: The connector implements a fail-close approach for API failures, with rate limiting handled through queue-based wait time with exponential backoff. Documents are skipped from ingestion rather than being made publicly accessible when permission-related issues occur. + +For more information, see [Key data source connector concepts](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/-connector-app.html#-connector-key-concepts).