Managing app approvals in Enterprise Grid workspaces
An admin app can approve or restrict other app installs across an entire Enterprise Grid org. The app handles app management for each workspace in the Grid org, replacing the UI process.
Sure, it might sound like a meta-machine best left to science fiction—but an app to approve other apps can make admins' lives far more pleasant and productive.
Be careful: when you install an app to manage app approvals on a Grid organization, you must process all app approvals and restrictions with this app, and the workspace-level UI App Management Settings UI options will be disabled.
If you wish to restore the App Management Setting UI, you'll need to revoke the token you used to approve apps, or delete the app management app entirely.
To build an app with the APIs for app management, read on.
- Overview
- Setup with scopes
- Listen with the
app_requestedevent - Manage with
approveandrestrictmethods
This API can only be used by Enterprise Grid orgs.
Overview
When an admin turns on the Approve apps setting in Slack, apps are requested by a Slack user and have to be approved by an admin before they're actually installed for a team to use.
The approval process helps admins make sure that each app installed on a workspace is trustworthy.
However, for Enterprise Grid admins handling approvals, app requests for each individual workspace in the org can add up to a major time-suck.
Now, app approval can be managed by a single app, across all workspaces. Instead of using the UI, Enterprise Grid admins delegate the approval work to an app. The app can implement any specific logic that the admin would like—for example, whitelisting the Google Drive app on any workspace.
When you use an app to handle app management with this API, it replaces the App Management UI. The Approve apps setting is turned on for each workspace automatically.
This API can only be used by Enterprise Grid orgs.
Keep going for a more detailed walk-through on app management.
Setup with scopes
Two scopes enable an app to manage app install approvals across an Enterprise Grid org: admin.apps:read and admin.apps:write.
- The
admin.apps:readscope allows the app to list app install requests, and to subscribe to theapp_requestedevent. - The
admin.apps:writescope allows the app to approve or restrict requests for an app install.
All admin.* scopes are obtained using the normal OAuth flow, but there are a few extra requirements. The OAuth installation must be initiated by an Enterprise Grid admin or owner. Also, the install must take place on the Enterprise Grid org, not on an individual workspace using the workspace switcher during the install flow.
Check out the scope documentation for more detail.
Listen with the app_requested event
Now that you've got your management app off the ground, begin listening for app install requests. The app_requested event from the Events API notifies your app of exactly those requests. It's triggered any time a user on any team in your Grid org requests that an app be installed.
Subscribe to the app_requested event by navigating to your App page and clicking on Event Subscriptions in the left sidebar. The Add Workspace Event button will lead you to the app_requested event. You'll need to reinstall your app for your subscription to take effect.
Here's the truncated shape of an app_requested event:
{
"type": "app_requested",
"app_request":{
'id': string,
'app': {
'id': string,
'name': string,
'description': string,
'help_url': string,
'privacy_policy_url': string,
'app_homepage_url': string,
'app_directory_url': string,
'is_app_directory_approved': boolean,
'is_internal': boolean,
'additional_info': ?string
},
...
}
}
In addition to the app field containing info on the app that's been requested, you'll also see some other useful fields, some of which don't always appear if they're not relevant:
previous_resolutiongives info about whether the app was approved or restricted previously.usergives info on the user that requested the install.teamgives info about the team that the user requested the install on.scopesgives info about the scopes that the requested install will grant on your workspace.
For a full payload example of an app_requested event, check out the app_requested page.
Once you've got your ear to the ground listening for app install requests, read on to learn how to respond.
Manage with approve and restrict methods
Approve an app install request
Approve an app request with the approve method:
curl -F token=xoxp-... -F team_id=T9876 -F request_id=1234 https://slack.com/api/admin.apps.approve
The token is, of course, required, and must be imbued with the admin.apps:write scope. Follow the instructions in the scope documentation to obtain an admin scope.
You can use either request_id or app_id to identify which app to approve. Either can be obtained directly from the app_requested event described above, or from the list method described below. The team_id is also required: it specifies which workspace the app should be approved on.
You'll receive an "ok": true response when your approval is successful.
Restrict an app install request
Similarly, restrict (in other words, deny) an app install with the restrict method:
curl -F token=xoxp-... -F request_id=1234 https://slack.com/api/admin.apps.restrict
As above, the token is required, and must be imbued with the admin.apps:write scope. Follow the instructions in the scope documentation to obtain an admin scope. Either a request_id or app_id is also required to identify which app to restrict, and a team_id is required as well.
You'll receive an "ok": true response when your restriction is successful.
List app install requests
Use the list method to see pending app install requests. The list method only shows requests that haven't yet been approved or restricted by your app.
curl -F token=xoxp-... -F team_id=T9876 https://slack.com/api/admin.apps.requests.list
You'll receive a response containing a list of app_requests, each of which is identical to what's found in the app_requested event payload described above.
Sample app
If you're looking for an example app that uses these methods, look no further than this app built by Slack on Github.
Parting words
App approvals build confidence that a Slack org is safe and secure. However, managing apps for every workspace in a Grid org can take time and pull focus away from the most critical tasks.
Use the APIs for app management to build an app that automates app management, and gain peace of mind without the labor-intensive manual work. Stay tuned for more announcements as Slack continues its quest to make admin lives even more pleasant and productive.