Protect and Control Frequently Asked Questions (FAQs)

Admins Updated Mar 03, 2026

Overview and basics

Who can access Dash Protect and Control?

Protect and Control is available only to admins on Dropbox Dash for Business. Users without admin access can’t view or manage Protect and Control settings.

When should admins use Protect and Control?

Admins should use Protect and Control any time they want to review or manage access to company documents as part of ongoing access oversight and data governance efforts.

Company links and document access

What are company links?

Company links make it easy to share documents broadly inside an organization, but they can also increase exposure if they’re shared more widely than intended. Protect and Control helps admins find and manage documents that use company links so they can review or limit access when needed.

When a document has a company link:

The link works only for people signed in with your company account
Anyone in the organization who has the link can access the document, even if they aren’t a named collaborator
Access level depends on the link’s permission setting, such as view or edit

Learn how to manage shared links in the Dash Protect and Control dashboard.

How can Protect and Control help manage shared company links?

Protect and Control helps admins identify documents that have company or public links and remove or limit those links to reduce risk.

If I remove an account or link, does it affect a user’s ability to access Dash?

No. Dash access is limited to users with assigned licenses. Removing personal accounts, external vendors, or public links only changes access to specific documents. It doesn’t affect their ability to use Dash.

Do company links automatically grant access to documents?

No. Users can only see documents they already have access to as collaborators or through previously accessed links. Cleaning up company links does not expand document access.

Admin access and permissions

Can admins view document contents?

No. Dash admins are not automatically granted access to document contents. They can view permissions and metadata, such as collaborators and sharing links, but they can’t view document contents unless they already have access.

Note: Admins aren’t added as collaborators by default, but they can add themselves if needed. If a document has a company or public link, admins can also use that link to access the document.

Learn how to add collaborators.

Can admins remove an owner from an item?

No. The Remove collaborator action only removes collaborators, not owners. This prevents documents, folders, or drives from being left without an owner.

Connected apps and data sources

What apps are supported?

Protect and Control supports the following apps:

Google Drive
Dropbox
Microsoft OneDrive, SharePoint, and Teams documents

Learn how to connect apps to Dropbox Dash.

Can you monitor files outside of supported connected apps?

No. Protect and Control only lets you monitor files connected to Google Drive, Dropbox, Microsoft OneDrive, SharePoint, and Teams.

Content from apps that aren’t connected won’t appear in Protect and Control.

Accounts and identities

Which user accounts appear in Protect and Control?

Protect and Control shows user accounts that have access to documents in the apps connected to Dash.

This includes:

Active accounts
Suspended or archived accounts
Accounts that are owners or collaborators
Accounts with access through company or public links

Notes:

Deleted accounts may appear briefly until the connected app finishes synchronizing.
For Dropbox, invited team members are also shown.
Document-level access accounts in the connected app appear, not Dash login users.

Which Microsoft user accounts appear in Protect and Control?

For Microsoft 365, Protect and Control shows user accounts that have access to at least one document, drive, or SharePoint or Teams item.

This includes owners and collaborators.

Note: User accounts that exist in Azure but don’t have access to any content won’t appear because Protect and Control displays accounts based on document permissions.

Which Google user accounts appear in Protect and Control?

For Google Drive, account information is collected from the Google Workspace Directory.

Protect and Control shows user accounts that have access to documents in My Drive or shared drives, based on directory and permission data.

Admins can limit which users are included using directory controls. Only accounts that have access to content will appear.

Which Dropbox user accounts appear in Protect and Control?

For Dropbox, Protect and Control shows all Dropbox team member accounts returned by the Dropbox API.

These accounts appear if they have access to content or are part of the connected Dropbox team.

Why don’t some groups or service accounts appear as expected?

Some groups and service accounts don’t have associated email addresses, including Dropbox groups and certain Microsoft service accounts.

Because Protect and Control relies on email domains to classify accounts as internal, outside, or personal, these accounts:

May not appear in the Shared with column on the Protect and Control dashboard
Can’t be filtered using owner or collaborator filters
Can’t be targeted by actions that rely on email addresses

These limitations apply to document access accounts in the connected app, not Dash login accounts.

How quickly does a new account appear in Protect and Control?

A new user account will appear in Protect and Control after the user creates a document or is granted access to a document in a connected app.

It can take up to about one hour for the account and its permissions to appear, depending on synchronization timing.

File visibility and synchronization

What types of files appear in Protect and Control?

Protect and Control displays files, folders, shared drives, and other shared containers across connected apps.

Items that don’t have an owner, collaborators, or sharing links are hidden from the interface.

App-specific exceptions include:

Dropbox: Archived team folders and folders where all internal access has been removed
Google: Shared drives with no owner and no internal access

Why isn’t a file appearing in Protect and Control?

A file may not appear for several reasons:

The file is in an app that isn’t connected to Dash
The file has no owner, collaborators, or sharing links
The file was recently created, deleted, or had its permissions changed and hasn’t finished synchronizing
The file is excluded due to app-specific limitations

Most updates appear within about one hour. If the file still doesn’t appear after that time, check that the app is connected and that the file has active permissions.

Do deleted items appear in Protect and Control?

No. Deleted items aren’t displayed in Protect and Control.

If an item was previously visible and then deleted, it can take up to about one hour for that change to appear due to synchronization timing.

How long does it take for updates to appear?

Protect and Control doesn’t update in real time. Data from connected apps is synchronized on a regular schedule.

Updates typically appear within about one hour after a change occurs in a connected app or after an action is run.

If you don’t see updates after more than one hour, refresh the page or check the status of the connected app.

Managing links, collaborators, and document access

What actions can admins take on documents?

Protect and Control allows admins to manage document access across connected apps by taking the following actions:

Add a link. Create a company or public link to an item
Remove a link. Remove a company or public link from an item
Add a collaborator. Grant a user access to an item
Remove a collaborator. Remove a user’s access to an item
Stop sharing. Remove all links and collaborators from an item
Delete. Move an item to trash in the connected app

Notes:

Dropbox team documents don’t have owners. If you use Stop sharing, all access is removed and the item will no longer appear in Protect and Control.
Deleted items are moved to trash based on the connected app’s retention behavior. Shared drives, user drives, and SharePoint sites can’t be deleted.

Learn how to manage shared links in the Dash Protect and Control dashboard.

How long do access changes take to complete?

Small actions may complete in seconds. Large bulk actions can take 30 minutes or longer, depending on how many items are affected.

What are inherited permissions and why can’t I modify them?

Inherited permissions are access settings that come from a parent folder, shared drive, site, or library in a connected app. When permissions are applied at a higher level, they automatically apply to all nested files and subfolders.

Protect and Control follows the permission model of each connected app, such as Google Drive, Dropbox, and Microsoft 365. Because inherited permissions are controlled by the source app, they can’t be changed on individual files or subfolders. If you try, you’ll see an error indicating that the permission is inherited and can’t be modified at that level.

Learn how to manage and fix errors with inherited permissions in Protect and Control.

When do changes appear on the Protect and Control dashboard?

After an action runs, it can take up to about one hour for updates to appear while connected services confirm permission changes.

How can I confirm that an action succeeded?

You can review results in the Action history log.

Learn how to use the Action history page in Dash.

I tried removing a public link, but Action history shows no results. Why?

This usually means the filtered items didn’t include any public links, so no changes were made.

Managing and automating document access

How can I automate document access control in Protect and Control?

You can automate document access management by using Policies. Policies allow admins to define rules based on access conditions, such as:

Documents with open company or public links
Documents shared with external collaborators
Other access-related criteria

When a policy condition is met, Dash can:

Send notifications to admins
Automatically take actions, such as removing links or access

How the policy responds depends on how it’s configured.

To learn more, see:

When do automations run?

Automations run once every 24 hours at 8:00 AM UTC.

How do policy notifications work?

If a policy has alerting enabled, team admins receive an email every 24 hours.

The email includes:

The policy name
The number of matching items
A link to view those items in Protect and Control

Can alerts be sent through Slack?

No. Slack notifications aren’t supported.

Columns, filters, and dashboard data

What does “Shared with: Private” mean?

Shared with: Private means only the owner has access to the item.

However, Dropbox groups aren’t included in the Shared with count. Because of this, an item may appear as Private even if a Dropbox group has access.

What do the Last modified and Age columns mean?

Last modified shows the most recent time the item was edited or its permissions were changed.
Age shows when the item was created or uploaded.

For Dropbox, the Age column may be blank because creation date information isn’t always available through the API.

How do filters work in Protect and Control?

Filters let you narrow results based on document access and activity criteria.

Last modified and Age filters use predefined time ranges and follow the PST and PDT time zones.
Keyword filters search item titles and support OR logic when multiple keywords are used.
Other filters, such as Shared with, Link type, and App, help you focus on specific types of access or connectors.

Learn how to use filters on the Dash Protect and Control dashboard.

Why does the modified date look older than the age date?

In rare cases, connected app APIs may return inconsistent timestamps, especially after items are moved or ownership changes occur.

This can result in the Last modified date appearing older than the Age date.

File ownership in connected apps

What does the Owner field represent?

The Owner field shows the account that owns the file in the connected application, such as Google Drive, Microsoft 365, or Dropbox.

This refers to file-level ownership in the source system, not Dash ownership or admin roles.

What does “Unknown” file owner mean?

An item may display Unknown as the file owner when Protect and Control can’t retrieve ownership details from the connected app.

This can occur in cases such as:

A shared drive that doesn’t have an assigned manager
An item owned by an external account where ownership details aren’t visible to your organization

What does “Team” file owner mean in Dropbox?

In Dropbox, Team ownership means the file belongs to a Team folder rather than an individual user.

Team folders and their contents don’t have individual file owners. Instead, ownership is managed at the team level within Dropbox.

Product functionality and limits

Does Protect and Control limit file size?

No. Protect and Control doesn’t limit the size of files in connected apps. File size limits are determined by the connected app.

Learn how to connect apps to Dropbox Dash.

Can admins view the contents of files?

No. Protect and Control doesn’t support file previews.

To protect sensitive information, admins can view permissions and metadata but can’t open or view file contents unless they already have access in the connected app.

What reporting and export features are available in Protect and Control?

Protect and Control includes built-in reporting and export capabilities to help admins review document ownership and sharing across connected apps.

Overview report. Provides a high-level summary of items, ownership, and sharing activity, including open links and external access.
Stale access report. Highlights items that haven’t been modified for a specified period of time, helping identify potentially outdated or high-risk content.
Action history. Shows the results of actions run in Protect and Control, including successful updates and errors.

Admins can also export filtered results and report data to CSV. Note: Exporting data is currently only available through the All items area.

Learn more:

Action history and error handling

What is Action history?

The Action history page shows the results of actions run in Protect and Control.

Each item included in an action may return a different result. Some items may update successfully, while others may return errors.

Error messages are written and maintained by the Protect and Control team to help explain why an action didn’t complete as expected.

What information appears in the Action history details pane?

Each Action history entry includes a details pane that provides additional context about the action.

The details pane shows:

The actor (the admin who ran the action)
The action performed
The timestamp
The total number of items selected
The number of successful updates
The number of errors

Error message and handling

The table below explains common errors by action type and connected app.

Error Message	Answer	Action	Connected app
Could not add the link type to the item, because it already exists	Dropbox items can only have two direct links, one with view permission and one with edit permission. If a link with the selected permission already exists on the item, Protect and Control can’t add another. For example, if an item already has a Company link with edit permission, adding a Public link with edit permission will fail and be recorded in Action history.	Add link type	Dropbox
Could not add link type because it is not possible on this item	Links can’t be added to items where permission inheritance has been stopped. If an item doesn’t inherit sharing from its parent, adding a link isn’t supported and the action will fail.	Add link type	Dropbox
Could not take action because it is not possible on this item type	This error can occur for several reasons. Links can’t be added to member folders (user drives). Access can’t be added to archived items. Collaborators can’t be added to member folders. External collaborators can’t be added if external sharing is disabled. Member folders can’t be deleted. Edit access can’t be added to some file types, such as images or PDFs.	Add link type, Add collaborator, Remove collaborator, Delete item	Dropbox
Could not take action on this drive item due to inherited permissions	The item inherits permissions from a parent folder or drive. Protect and Control can’t remove or change inherited links, collaborators, or permissions. To make changes, retry the action at the top-level drive or folder.	Remove link type, Remove collaborator	Dropbox
Could not remove some access from this item due to inherited permissions	Some access on the item is inherited and can’t be removed. Protect and Control removes access that was added directly, but inherited access remains. Because not all access could be removed, the action returns an error. To fully remove access, retry the action at the top-level drive or folder.	Remove link type, Remove collaborator	Dropbox
Owners cannot have the permission changed	Protect and Control doesn’t allow permission changes for owners of member folders or their child items. This prevents items from being left without an owner.	Remove collaborator	Dropbox
Could not take action because item is a shared drive	Root team folders can’t be deleted in Dropbox.	Delete item	Dropbox
Could not take this action now due to an unresponsive 3rd party API	The connected service didn’t respond. There’s no known cause. Retry the action after 12 to 24 hours.	Add link type, Remove link type, Add collaborator, Remove collaborator	Dropbox, Google, Microsoft
Couldn't add the collaborator - The account may still be syncing or belong to a separate app	The account you’re trying to add hasn’t finished syncing yet or exists in a different app. Once syncing completes, the action may succeed.	Add collaborator	Dropbox, Google, Microsoft
Could not take action on this shared drive item due to inherited permissions	Permissions are inherited from a parent shared drive or folder. Changes must be made at the top-level drive or folder. This commonly affects subsites and document libraries in Microsoft and Google environments.	Add link type, Remove link type, Add collaborator, Remove collaborator	Google, Microsoft
User’s access to Google Drive is disabled in Google	Google Drive is disabled for the account you’re trying to modify. Enable Drive access in the Google Admin console, then retry the action.	Add link type, Remove link type, Add collaborator, Remove collaborator	Google
Item is externally owned. Insufficient permissions to perform the action	The item is owned outside your organization. If your internal account only has viewer or commenter access, Protect and Control can’t make changes.	Add link type, Remove link type, Add collaborator, Remove collaborator	Google
Insufficient permissions to make changes to the item	No internal account has permission to modify this item.	Add link type, Remove link type, Add collaborator, Remove collaborator	Google, Dropbox
Item not found	The item was deleted, but the app hasn’t synced the update yet. Retry the action later.	Add link type, Remove link type, Add collaborator, Remove collaborator	Google
Item is a shortcut. Unable to perform the action	The item is a shortcut in Google Drive. Shortcuts don’t support permission changes.	Add link type, Remove link type, Add collaborator, Remove collaborator	Google
Account was not found to have access to the item	The account no longer has access, but the update hasn’t synced yet.	Remove collaborator	Google
Requested access permission change already occurred, no additional change was required	There was no permission to add or remove. This can happen due to syncing delays or because the permission already exists or was already removed.	Remove collaborator	Google
An authorization error occurred / Could not perform the selected operation because of an API error	The connected service returned an API error or the app was temporarily disconnected. This can also occur if the user is archived or suspended. For Google, re-enable Drive access and retry. Otherwise, retry the action after 12 to 24 hours.	Remove collaborator	Google, Microsoft
Item does not have the selected link type. No additional change was required	The link you’re trying to remove doesn’t exist on the item.	Remove link type	Google
Cannot add access of Owner type - Only read or write access can be added	Microsoft doesn’t allow adding owners through Protect and Control. Only read or write access can be added.	Add collaborator	Microsoft
Could not take this action because this feature is disabled in SharePoint	Organization-wide settings prevent adding Company or Public links.	Add link type	Microsoft
Could not take action because it is not possible on this item type	Public links can’t be added to parent SharePoint sites, personal sites, or personal OneDrive drives.	Add link type	Microsoft
Insufficient permissions to perform the action	Organization-wide settings or account status prevent the change. This can also occur during sync delays. Retry the action later or restore ownership in the admin console.	Add link type, Remove link type, Add collaborator, Remove collaborator	Microsoft, Google, Dropbox
Could not take this action because the link cannot be removed while the Guest link is present	Microsoft requires a Company link when a Guest link exists. The Company link can’t be removed until the Guest link is removed.	Remove link type	Microsoft
Could not take the action because Microsoft 365 groups cannot be removed from the site they were created on	Microsoft 365 groups can’t be removed from the Team site where they were created.	Remove collaborator	Microsoft
Could not take the action due to an undefined API error	A Microsoft API error with no known cause. Retry the action later.	Add link type, Remove link type, Add collaborator, Remove collaborator	Microsoft
Account already has access via a group. No additional change was required.	The user already has access through a SharePoint group, and Microsoft does not allow adding this user again.	Add collaborator	Microsoft

Was this article helpful?

Yes, thanks!

Not really

Thanks for your feedback!

Other ways to get help

Community

Contact support

Social media support