How to manage and fix errors with top-level access in Protect and Control

Admins Updated May 24, 2026

In this article

person icon

The information in this article applies to admins on Dropbox Dash.

Top-level access follows the access model of each connected app. Apps like Google Drive, Dropbox, and Microsoft 365 apply access at the top-level and extends the access to all lower-level items. Because the top access levels are controlled by the source app, it can only remove or change them at the top-level in Protect and Control. If you try to remove inherited access from files or subfolders, you’ll receive an error indicating that the access is imanaged at a top-level and can’t be modified at that level.

To update or remove access, you must change access-levels in the app where they were originally assigned.

For example, if you apply a fix to public links that are more than three years old and the access is managed by a top-level source, the link is removed from the folder and from any files or subfolders that inherit it. As a result, items within the folder may also lose access, even if they were modified more recently than three years ago. This behavior occurs regardless of which filter surfaced the folder.

Fixes only remove access managed by the top-level source. Access applied directly to a file or subfolder isn’t removed. This will happen to shared drives and personal drive folders.

Common top-level access errors

 

Connected app Explanation
Google Drive

Since access levels are typically assigned at the top-level, you must update them at the shared drive or highest-level folder, or drive..

Direct access levels that were added at the lower level can still be removed individually. However, if a user has an Editor role on a shared drive, you can’t remove their access from subfolders because it’s inherited from the shared drive.

Items must also have at least one Manager. You can’t remove the last Manager from a shared drive or folder. In My Drive, folders and files also inherit access levels from their top-level folder, so access changes must begin at the top-level folder.
Dropbox

Access levels can be inherited at both the folder and file level. If access levels are granted to a top-level folder, then all lower-level folders and files inherit that access. In Protect and Control, access levels managed at a top-level can’t be removed at the lower-level. To change access managed at the top-level, update access level on the top-level in Dropbox.

Direct access added to a specific file or folder can be removed individually.
Microsoft 365

Access inheritance is common across SharePoint sites, document libraries, and folders. If a lower-level inherits access from a top-level site or library, you won’t be able to remove the access at the lower-level.

In some cases, the option to remove the access is disabled because the access is inherited.

Organizational policies, site-level settings, or privacy configurations may also restrict access changes. To update access levels, modify the access levels at the top-level site, library, or folder where inheritance begins.

Step 1. Identify errors for items with access managed at a top-level

  1. Log in using your admin credentials. Learn how to access Protect and Control.
  2. Use filters to narrow results, such as shared drives, ownership, or access type.
  3. Select an item to review its access levels.

Step 2. Remove direct access

Before updating inherited access levels in the source app, remove any direct access levels in Protect and Control. This ensures only inherited access levels remain and clarifies the access structure.

  1. In Protect and Control, locate and select the affected item.
  2. Review the access levels list and identify any access levels that aren’t labeled as inherited.
  3. Remove the direct links or collaborators. Learn how to manage shared links.
  4. Confirm that only access levels managed at a top-level remain on the item.

Step 3. Fix inherited issues in the source app

If access are inherited, you must update them at the top-level in the source app.

  1. Identify the top-level folder, shared drive, site, or library listed on the inherited access level.
  2. Go to the source app.
  3. Update or remove access-levels at that top-level location.
    • Google Drive. Update permissions at the shared drive or top-level folder where access levels were originally granted. For example, if a user should no longer have access, remove their role, such as Contributor, at the shared drive level.
    • Dropbox. If access-levels are inherited by subfolders or files, update access-levels on the top-level folder in Dropbox. Changes at the top-level folder apply to all nested content.
    • Microsoft 365. Modify access at the top-level site, document library, or folder where inheritance begins. Changes must be made at the level that controls the inherited access levels.
highlighter icon

Note: Changes made in the source app at the top-level apply to all lower-level files and folders that inherit those access levels.

Step 4. Confirm your changes and track history

  1. Return to Protect and Control.
  2. Click Action history.
  3. Review completed actions to confirm which access-levels were removed.
  4. Check for any actions that were blocked due to inherited access levels.

If access was blocked due to inheritance, return to the source app and confirm that the change was made at the correct top-level.

Learn how to use the Action history page.

Was this article helpful?

Let us know how why it didn't help:

Thanks for letting us know!

Thanks for your feedback!

Related Articles

View Protect and Control reports in Dash

How to access the Protect and Control page

How to fix security risks in Dropbox Protect

How to manage shared links in the Dash Protect and Control dashboard

Other ways to get help

Icon depicting two people
Community
Icon depicting a speech bubble
Contact support
Twitter Icon
Social media support