Protect and Control frequently asked questions (FAQs)

Admins Updated May 24, 2026

Overview and basics

Who can access Dash Protect and Control?

Protect and Control is available only to admins on Dropbox Dash for Business. Users without admin access can’t view or manage Protect and Control settings.

When should admins use Protect and Control?

Admins should use Protect and Control any time they want to review or manage access to company documents as part of ongoing access oversight and data governance efforts.

Company links and document access

What are company links?

Company links make it easy to share documents broadly inside an organization, but they can also increase exposure if they’re shared more widely than intended. Protect and Control helps admins find and manage documents that use company links so they can review or limit access when needed.

When a document has a company link:

The link works only for people signed in with your company account
Anyone in the organization who has the link can access the document, even if they aren’t a named collaborator
Access level depends on the link’s access level setting, such as view or edit

Learn how to manage shared links in the Dash Protect and Control dashboard.

How can Protect and Control help manage shared company links?

Protect and Control helps admins identify documents that have company or public links and remove or limit those links to reduce risk.

If I remove an account or link, does it affect a user’s ability to access Dash?

No. Dash access is limited to users with assigned licenses. Removing personal accounts, external vendors, or public links only changes access to specific documents. It doesn’t affect their ability to use Dash.

Do company links automatically grant access to documents?

No. Users can only see documents they already have access to as collaborators or through previously accessed links. Cleaning up company links does not expand document access.

Admin access and access levels

Can admins view document contents?

No. Dash admins are not automatically granted access to document contents. They can view access levels and metadata, such as collaborators and sharing links, but they can’t view document contents unless they already have access.

Note: Admins aren’t added as collaborators by default, but they can add themselves if needed. If a document has a company or public link, admins can also use that link to access the document.

Learn how to add collaborators.

Can admins remove an owner from an item?

No. The Remove collaborator action only removes collaborators, not owners. This prevents documents, folders, or drives from being left without an owner.

Connected apps and data sources

What apps are supported?

Protect and Control supports the following apps:

Google Drive
Dropbox
Microsoft OneDrive, SharePoint, and Teams documents

Learn how to connect apps to Dropbox Dash.

Can you monitor files outside of supported connected apps?

No. Protect and Control only lets you monitor files connected to Google Drive, Dropbox, Microsoft OneDrive, SharePoint, and Teams.

Content from apps that aren’t connected won’t appear in Protect and Control.

Accounts and identities

Which user accounts appear in Protect and Control?

Protect and Control shows user accounts that have access to documents in the apps connected to Dash.

This includes:

Active accounts
Suspended or archived accounts
Accounts that are owners or collaborators
Accounts with access through company or public links

Notes:

Deleted accounts may appear briefly until the connected app finishes synchronizing.
For Dropbox, invited team members are also shown.
Only accounts with document-level access in the connected app appear in Protect and Control.

Which Microsoft user accounts appear in Protect and Control?

For Microsoft 365, Protect and Control shows user accounts that have access to at least one document, drive, or SharePoint or Teams item.

This includes owners and collaborators.

Note: User accounts that exist in Azure but don’t have access to any content won’t appear because Protect and Control displays accounts based on document access levels.

Which Google user accounts appear in Protect and Control?

For Google Drive, account information is collected from the Google Workspace Directory.

Protect and Control shows user accounts that have access to documents in My Drive or shared drives, based on directory and access level data.

Admins can limit which users are included using directory controls. Only accounts that have access to content will appear.

Which Dropbox user accounts appear in Protect and Control?

For Dropbox, Protect and Control shows all Dropbox team member accounts returned by the Dropbox API.

These accounts appear if they have access to content or are part of the connected Dropbox team.

Why don’t some groups or service accounts appear as expected?

Some groups and service accounts don’t have associated email addresses, including Dropbox groups and certain Microsoft service accounts.

Because Protect and Control relies on email domains to classify accounts as internal, outside, or personal, these accounts:

May not appear in the Shared with column on the Protect and Control dashboard
Can’t be filtered using owner or collaborator filters
Can’t be targeted by actions that rely on email addresses

These limitations only apply to accounts with document access in the connected app.

How quickly does a new account appear in Protect and Control?

A new user account will appear in Protect and Control after the user creates a document or is granted access to a document in a connected app.

It can take up to about one hour for the account and its access levels to appear, depending on synchronization timing.

File visibility and synchronization

What types of files appear in Protect and Control?

Protect and Control displays files, folders, shared drives, and other shared containers across connected apps.

Items that don’t have an owner, collaborators, or sharing links are hidden from the interface.

App-specific exceptions include:

Dropbox: Archived team folders and folders where all internal access has been removed
Google: Shared drives with no owner and no internal access

Why isn’t a file appearing in Protect and Control?

A file may not appear for several reasons:

The file is in an app that isn’t connected to Dash
The file has no owner, collaborators, or sharing links
The file was recently created, deleted, or had its access levels changed and hasn’t finished synchronizing
The file is excluded due to app-specific limitations

Most updates appear within about one hour. If the file still doesn’t appear after that time, check that the app is connected and that the file has active access levels.

Do deleted items appear in Protect and Control?

No. Deleted items aren’t displayed in Protect and Control.

If an item was previously visible and then deleted, it can take up to about one hour for that change to appear due to synchronization timing.

How long does it take for updates to appear?

Protect and Control doesn’t update in real time. Data from connected apps is synchronized on a regular schedule.

Updates typically appear within about one hour after a change occurs in a connected app or after an action is run.

If you don’t see updates after more than one hour, refresh the page or check the status of the connected app.

Managing links, collaborators, and document access

What actions can admins take on documents?

Protect and Control allows admins to manage document access across connected apps by taking the following actions:

Add a link. Create a company or public link to an item
Remove a link. Remove a company or public link from an item
Add a collaborator. Grant a user access to an item
Remove a collaborator. Remove a user’s access to an item
Stop sharing. Remove all links and collaborators from an item
Delete. Move an item to trash in the connected app

Notes:

Dropbox team documents don’t have owners. If you use Stop sharing, all access is removed and the item will no longer appear in Protect and Control.
Deleted items are moved to trash based on the connected app’s retention behavior. Shared drives, user drives, and SharePoint sites can’t be deleted.

Learn how to manage shared links in the Dash Protect and Control dashboard.

How long do access changes take to complete?

Small actions may complete in seconds. Large bulk actions can take 30 minutes or longer, depending on how many items are affected.

What are inherited access levels and why can’t I modify them?

Access levels are settings that come from a top-level folder, shared drive, site, or library in a connected app. When access levels are applied at a higher level, they automatically apply to all nested files and subfolders.

Protect and Control follows the access level model of each connected app, such as Google Drive, Dropbox, and Microsoft 365. Because the access levels are controlled by the source app, they can’t be changed on individual files or subfolders. If you try, you’ll see an error indicating that the access level is managed at the top-level and can’t be modified at that level.

Learn how to manage and fix errors with top-level access in Protect and Control.

When do changes appear on the Protect and Control dashboard?

After an action runs, it can take up to about one hour for updates to appear while connected services confirm access level changes.

How can I confirm that an action succeeded?

You can review results in the Action history log.

Learn how to use the Action history page in Dash.

I tried removing a public link, but Action history shows no results. Why?

This usually means the filtered items didn’t include any public links, so no changes were made.

However, if the change was made recently, wait about an hour and try again.

Managing and automating document access

How can I automate document access control in Protect and Control?

You can automate document access management by using Policies. Policies allow admins to define rules based on access conditions, such as:

Documents with open company or public links
Documents shared with external collaborators
Other access-related criteria

When a policy condition is met, Dash Protect and Control can send notifications to admins, automatically take actions such as removing links or access, or both.

How the policy responds depends on how it’s configured.

To learn more, see:

How do policy notifications work?

If a policy has alerting enabled, selected admins receive an email every 24 hours.

The email includes:

The policy name
The number of matching items
A link to view those items in Protect and Control

Can alerts be sent through Slack?

No. Slack notifications aren’t supported.

Columns, filters, and dashboard data

What does “Shared with: Private” mean?

Shared with: Private means only the owner has access to the item.

However, Dropbox groups aren’t included in the Shared with count. Because of this, an item may appear as Private even if a Dropbox group has access.

What do the Last modified and Age columns mean?

Last modified shows the most recent time the item was edited or its access levels were changed.
Age shows when the item was created or uploaded.

For Dropbox, the Age column may be blank because creation date information isn’t always available through the API.

How do filters work in Protect and Control?

Filters let you narrow results based on document access and activity criteria.

Last modified and Age filters use predefined time ranges and follow the PST and PDT time zones.
Keyword filters search item titles and support OR logic when multiple keywords are used.
Other filters, such as Shared with, Link type, and App, help you focus on specific types of access or connected apps.

Learn how to use filters on the Dash Protect and Control dashboard.

Why does the modified date look older than the age date?

In rare cases, connected app APIs may return inconsistent timestamps, especially after items are moved or ownership changes occur.

This can result in the Last modified date appearing older than the Age date.

File ownership in connected apps

What does the Owner field represent?

The Owner field shows the account that owns the file in the connected app, such as Google Drive, Microsoft 365, or Dropbox.

This refers to file-level ownership in the source system, not Dash ownership or admin roles.

What does “Unknown” file owner mean?

An item may display Unknown as the file owner when Protect and Control can’t retrieve ownership details from the connected app.

This can occur in cases such as:

A shared drive that doesn’t have an assigned manager
An item owned by an external account where ownership details aren’t visible to your organization

What does “Team” file owner mean in Dropbox?

In Dropbox, Team ownership means the file belongs to a Team folder rather than an individual user.

Team folders and their contents don’t have individual file owners. Instead, ownership is managed at the team level within Dropbox.

Product functionality and limits

Does Protect and Control limit file size?

No. Protect and Control doesn’t limit the size of files in connected apps. File size limits are determined by the connected app.

Learn how to connect apps to Dropbox Dash.

Can admins view the contents of files?

No. Protect and Control doesn’t support file previews.

To protect sensitive information, admins can view access levels and metadata but can’t open or view file contents unless they already have access in the connected app.

What reporting and export features are available in Protect and Control?

Protect and Control includes built-in reporting and export capabilities to help admins review document ownership and sharing across connected apps.

Overview report. Provides a high-level summary of items, ownership, and sharing activity, including open links and external access.
Stale access report. Highlights items that haven’t been modified for a specified period of time, helping identify potentially outdated or high-risk content.
Action history. Shows the results of actions run in Protect and Control, including successful updates, skipped actions, and errors.

Admins can also export filtered results and report data to CSV.

Learn more:

Action history and error handling

What is Action history?

The Action history page shows the results of actions run in Protect and Control.

Each item included in an action may return a different result. Some items may update successfully, while others may be skipped return errors.

What information appears in the Action history details pane?

Each Action history entry includes a details pane that provides additional context about the action.

The details pane shows:

The actor (the admin who ran the action)
The action performed
The timestamp
The total number of items selected
The number of successful updates
The number of skipped updates
The number of errors

Error message and handling

The table below explains common errors by action type and connected app.

Status	Description	Message	Troubleshooting
Error	Item limit has been reached. Some apps limit how many items can be updated at once. Select fewer items and try again.	There are too many items selected to apply fixes.	Select fewer items and retry the action again. For Google, select less than 500,000 total items. For Dropbox, select less than 10,000 total items.
Error	The app connection is limited. The app has temporarily limited some actions. Try again later.	There is an issue with the app connection, but the reason is unknown.	Try again at a later time.
Error	The app connection is not active. Reconnect the app and try again. If the problem continues, check the app and its settings.	This happens with the app is disconnected. The integration required to perform this action is disconnected or not configured correctly.	Try reconnecting the integration and try again.
Error	Some access could not be removed. Some sharing access was removed, but some may still be active. This can happen if the app blocked the change or if syncing is still in progress. Try again later.	This occurs when some links or collaborators were removed, but not all.	Try again at a later time.
Error	Item not found.	This occurs if an item was moved, deleted, or is not yet available.	Try again at a later time.
Error	Something went wrong. There was a problem.	This happens when an unspecified error occurs.	Try again at a later time.
Skipped	No permission to make this change. Permission to make this change may be controlled externally. If possible, contact the item owner or an app admin for help.	This occurs when a user with sufficient permissions was not found or when you try to perform an action on a user that's not part of the organization.	Update access in the source app.
Skipped	Cannot add collaborator. The collaborator doesn't yet have access to the selected app. Confirm they have access and try again later.	This occurs when an admin tries to add a collaborator that does not have access to selected connector. Sometimes ingestion lag can cause delays with trying to add a collaborator to an item.	Check the collaborators’ access to the source app and try again later.
Skipped	Not allowed by app settings. The settings for this action are turned off in the app. To make this change, update the settings in the app and try again.	This specific error message occurs because the the source app is not configured to allow for this change.	Check the source app settings and try again.
Skipped	Access update not required. Access was previously updated. No further action is required.	This occurs when an account being removed was previously already removed.	Check the access in the source app and try again.
Skipped	Access update not required. The account already has access through a group. The requested action is completed.	The account already has access.	No action is needed.
Skipped	Access permission managed by top-level source. Access is managed by a folder, drive, or app that includes this item. Update access at the top-level source. If the top-level source was selected, no further action is required.	This error occurs when access is managed at the top level source (folder or drive).	Check the top level item. If it was updated, no action is needed. If it wasn’t updated, remove access at the top level.
Skipped	Cannot update owner access. Access for item owners and admins can't be changed until ownership is transferred to someone else.	This occurs because the system prevents owners being removed from items.	Change the owner of the item and try again.
Skipped	Action is not allowed for this top-level source. This action is not allowed for top-level source folders, sites or shared drives.	This occurs if you are trying to delete a shared drive. This action is not allowed.	Nothing further can be done in Protect and Control, but you can try this action in the source app.
Skipped	Action is not supported for this item. Can't update because the app doesn't support this action for this item.	This occurs when a connector doesn't support a certain action.	Nothing further that can be done in Protect and Control, but you can try this action in the source app.
Skipped	Action is not allowed for Microsoft 365. Microsoft 365 groups can’t be removed.	This error occurs if you try removing Microsoft 365 groups from Team sites that they were created on.	Nothing further that can be done in Protect and Control, but you can try this action in the source app.
Skipped	Guest access update required. Can't complete this action while a guest link is still active. Remove guest access, then try again.	This error occurs when attempting to remove a company link when a guest link is present in Microsoft 365. Guest access in Microsoft cannot exist without the Company (Everyone group) permission.	Remove the guest link and try again.

Was this article helpful?

Yes, thanks!

Not really

Thanks for your feedback!

Other ways to get help

Community

Contact support

Social media support