Slack App Directory Permissions

Travis Good
March 22, 2022

Slack is a workflow platform. To extend the value of the platform, Slack added the equivalent of an App Store, what they call the Slack App Directory. The Slack App Directory has many SaaS apps. When integrated into Slack, these apps enable data and workflows to flow between Slack and these apps. Common examples of Slack apps are Google Drive, Zoom, and Salesforce.

Below is an app listing for Haekka in the Slack App Directory.

Slack App Directory Listing for Haekka

By default, any user in Slack can install an app from the Slack App Directory. Slack admins, as an optional configuration, can limit the ability of users to install these apps and require admin approval before installing apps.

Apps also have “Bot Users”, which are just automated user accounts that Slack users can message.

In Slack’s documentation on App Directory apps, Slack states the following:

We recommend only choosing tools and services you trust when installing apps to Slack. 

The functions of an app can be broken down into three categories:

  1. Post information. While the ability to post information such as a record from Salesforce or support ticket information from Zendesk, there is limited risk with these app permissions.
  2. Perform actions. Apps can perform actions when triggered by a user or apps can perform actions independently. A good example would be generating training reports using the /haekka-report command.
  3. Read information. This is the set of permissions that present the highest risk and are the focus of this section.

Given the data and actions that apps can take in Slack, proper approval and configuration is essential to reduce the risk from these apps and ensure proper security of Slack environments. The most important consideration when installing Slack App Directory Apps is the permission scopes you grant those apps. These permission scopes can be far reaching, including the ability to access user information and even messages in private, public, and direct message channels.

Secrets, such as encryption keys, auth tokens, and passwords, should not be shared in Slack but sometimes this information is shared in Slack for convenience. Customer information containing PII is often shared in Slack. For companies in regulated industries like healthcare, PHI is sometimes shared in Slack. When apps are installed in Slack, the permissions they are granted can potentially expose this sensitive data to these apps. 

Haekka provides a Slack app that can be used as an example. When installed Haekka in Slack, just like any other app from the Slack App Directory, a list of permission requested by the app is shown. For Haekka, a screenshot of permissions is below.

Slack Permissions for Haekka

The initial screen only shows permission categories. Clicking through to see the additional detail is necessary. Below is the same webpage as above for the Haekka Slack app but with the granular permissions shown.

Detailed Slack Permissions for Haekka

Categories of permissions on the Slack app install permissions page are divided into information apps can access and actions apps can take.

  1. Information. Permissions are broken down into content in channels and information about your workspace, such as members and member info.
  2. Actions. This section lists the actions that the app can take in channels.

There is no right and wrong set of permissions for Slack apps. The necessary permissions are specific to the app. In the case of Haekka, the permissions asked for are specific to being able to create, assign, and take training in Slack as well as the ability to view training metrics and statistics. In order for apps to function, they need their own specific permissions.

The most important thing is to ensure app permissions are reviewed before Slack App Directory apps are installed. Remember that Slack App Directory apps can have security and risk implications. If permissions seem unnecessary, ask the app owner why they are needed. If a company operates in a regulated industry such as healthcare, ensure apps do not potentially have permission to access PHI; if apps do have access to channels with PHI, you will need a business associate agreement (BAA) with the app owner.