How to manage and fix errors with top-level access in Dropbox Protect

Admins Updated May 13, 2026

In this article

person icon

The information in this article applies to Dropbox Protect admins.

Top-level access follows the access model of each connected app. Apps like Google Drive, Dropbox, and Microsoft 365 apply access at the top-level and then extends the access to all lower-level items. Because the top access levels are controlled by the source app, it can only remove or change them at the top-level in Dropbox Protect. If you try to remove access from files or subfolders, you’ll receive an error indicating that the access is managed at the top-level and can’t be modified.

To update or remove access, you must change access levels in the app where they were originally assigned.

For example, if you apply a fix to public links that are more than three years old and the access is managed by a top-level source, the link is removed from the folder and from any files or subfolders under it. As a result, items within the folder may also lose access, even if they were modified more recently than three years ago. This behavior occurs regardless of which filter surfaced the folder.

Fixes only remove access managed by the top-level source. Access applied directly to a file or subfolder isn’t removed. This will happen to shared drives and personal drive folders.

Common top-level access errors

Connected app Explanation
Google Drive

Since access levels are typically assigned at the top-level, you must update them at the shared drive or highest-level folder or drive.

Direct access levels that were added at the lower level can still be removed individually. However, if a user has an Editor role on a shared drive, you can’t remove their access from subfolders because it’s given access from the shared drive.

Items must also have at least one Manager. You can’t remove the last Manager from a shared drive or folder. In My Drive, folders and files also get access levels from their top-level folder, so access changes must begin at the top-level folder.
Dropbox

Access levels can be given at both the folder and file level. If access levels are granted to a top-level folder, then all lower-level folders and files get that access. In Protect, access levels can’t be removed at the lower-level. To change the lower-level access, update access levels on the top-level folder in Dropbox.

Direct access added to a specific file or folder can be removed individually.
Microsoft 365

Top-level access is common across SharePoint sites, document libraries, and folders. If a lower-level item gets access from the top-level or library, you won’t be able to remove access at the item level.

In some cases, the option to remove the access is disabled because the access is managed at a top-level.

Organizational policies, site-level settings, or privacy configurations may also restrict access changes. To update top-level access, modify access at the top-level site, library, or folder where the access begins.

Step 1. Identify top-level access errors

  1. Log in using your admin credentials. Learn how to access Protect.
  2. Use filters to narrow results, such as shared drives, ownership, or access type.
  3. Select an item to review its access levels.

Step 2. Remove direct access

Before updating lower-level access in the source app, remove any direct access levels in Protect. This ensures only lower-level access remain and clarifies the access structure.

  1. In Protect, locate and select the affected item.
  2. Review the access levels list and identify any items with top-level access.
  3. Remove the direct links or collaborators. Learn how to manage shared links.
  4. Confirm that only lower-level access remain on the item.

Step 3. Fix top-level issues in the source app

If access is managed at the top-level, you must update them at the top-level in the source app.

  1. Identify the top-level folder, shared drive, site, or library listed on the lower-level item.
  2. Go to the source app.
  3. Update or remove access at that top-levellocation.
    • Google Drive. Update access at the shared drive or top-level folder where access were originally granted. For example, if a user should no longer have access, remove their role, such as Contributor, at the shared drive level.
    • Dropbox. If access is given by subfolders or files, update access on the parent folder in Dropbox. Changes at the top-level folder apply to all lower-level content.
    • Microsoft 365. Modify access at the top-level site, document library, or folder where access begins. Changes must be made at the top-level that controls the lower-level access.
highlighter icon

Note: Changes made in the source app at the top-level apply to all their lower-level files and folders.

Step 4. Confirm your changes and track history

  1. Return to Protect.
  2. Click Action history.
  3. Review completed actions to confirm which access levels were removed.
  4. Check for any actions that were blocked due to top-level access.

If access was blocked because it's managed at the top-level, return to the source app and confirm that the change was made at the correct top-level.

Learn how to use the Action history page.

Was this article helpful?

Let us know how why it didn't help:

Thanks for letting us know!

Thanks for your feedback!

Related Articles

How to configure your team’s desktop with GPO

How to connect Confluence to Dropbox Dash

How to connect Google Drive to Dropbox Protect

How to delete your Dropbox Dash account

Other ways to get help

Icon depicting two people
Community
Icon depicting a speech bubble
Contact support
Twitter Icon
Social media support