Slack Permission Scopes

Travis Good
March 23, 2022

In our previous post, we went into detail about Slack App Directory permissions. That post walked through the workflow and steps for adding a 3rd party app into your workspace. The important thing covered in that post is that each Slack App Directory app requires its own unique set of permissions in order to function properly. Some of those app functions have security and risk implications.

In the last post, we added user-friendly and readable screenshots. These screenshots, part of the flow of installing Slack App Directory apps, are meant for easy digestion and interpretations to approve or disapprove app installs in Slack.

The specific permission scopes for an app are API calls. These API calls are behind the user friendly presentation from our last post. For Haekka’s Slack app, these following scopes are what the app needs to function. We also added the underlying product reason why the app requires the scope.

channels:read

  • View basic information about public channels in a workspace
  • Request Reason: We use this scope to grab a list of users to assign to a training. Admins can add all users from a channel to a training.

chat:write

  • Send messages as @haekka
  • Request Reason: We use this to send users the training lessons, tips and topics, and reminders.

commands

  • Add shortcuts and/or slash commands that people can use
  • Request Reason: We've added a new slash command to allow admin users to pull up a detailed report on their organization's training.

groups:read

  • View basic information about private channels that Haekka Security Awareness Training has been added to
  • Request Reason: We use this scope to grab a list of users to assign to a training. Admins can add all users from a channel to a training.

im:history

  • View messages and other content in direct messages that Haekka Security Awareness Training has been added to
  • Request Reason: This was added automatically when we added the messages.im scope in order to properly respond to a user when they message Haekka.

im:read

  • View basic information about direct messages that Haekka Security Awareness Training has been added to
  • Request Reason: We use this to help users share messages with each other.

mpim:read

  • View basic information about group direct messages that Haekka Security Awareness Training has been added to
  • Request Reason: We use this to help users share messages with each other.

team:read

  • View the name, email domain, and icon for workspaces Haekka Security Awareness Training is connected to
  • Request Reason: We create a company object for Slack installations and use this scope to create that.

users:read

  • View people in a workspace
  • Request Reason: We use this scope to grab a list of users to assign to a training. Admins can add all users from a channel to a training.

users:read.email

  • View email addresses of people in a workspace
  • Request Reason: When we create user objects in our backend we use this to grab their email.

identity.basic

  • View information about a user’s identity
  • Request Reason: This is required to allow our users to log into our dashboard with the "Sign in with Slack" feature.

The scopes above, especially without the added explanations and reasons, are not valuable to most Slack users who are installing Slack App Directory apps. That’s why Slack presents them as easy to read bullets. If you are interested in the specific Slack permission scopes and API calls an app needs, do not hesitate to reach out to the app owner to get a list of Slack permission scopes the app requires and the reason for those permission scopes.