Developing automations requires a Business+ or Enterprise Grid plan. Don't have one? Join the Developer Program and provision a sandbox with access to all Slack features for free.
As part of the broader access controls available to administrators, administrators can ensure only approved apps are installed and available to users.
If a workspace has the Admin-Approved Apps feature enabled, apps must be approved by a Workspace Admin (as set in your workspace settings) before they can be deployed.
However, even if a workspace has AAA enabled, workspace owners can still run slack deploy
to deploy apps or slack run
to run apps locally without requesting AAA permission. The AAA approval process does not apply to standalone workspaces.
When a developer deploys an app, administrators will receive a notification, either from Slackbot or using the AAA API workflow as determined by the organization. The approval notification will include which OAuth scopes the app is requesting, as well as any outgoing domains the app may want to access.
Outgoing domains are a new concept, and apply only to apps deployed to Slack's managed infrastructure. These are domains the app may require access to β for example, if a developer writes a function that makes a request to an external API, they will need to include that API in their outgoing domains. Outgoing domains do not constrain which ports on those domains a function can communicate with. Administrators can now approve or deny apps based on these defined outgoing domains, in the same way they would OAuth scopes.
Developers can create apps that call connector functions. These connector functions are contained by another app; for example, if a developer wishes to add a row to a Google spreadsheet or to update that same row, they could call the respective Google Sheets connector functions.
In addition to the approval process for developer apps described above, you can also explicitly approve or deny apps that use connector functions for use in Enterprise Grid workspaces based on the specified connector function. For example, if a developer's app calls a connector function that has not yet been approved for your workspace, you will be notified for approval when the developer attempts to install their app. In this example, you would approve or deny the specific Google Sheets connector function for use in your workspace.
If you deny the connector function, running manifest validate
will inform the developer that the connector function is denied for use in the workspace. If you approve it, running manifest validate
will install the specified connector function to the workspace.
For more information and a list of connector functions and their containing apps, refer to connector functions.
If you are using the AAA APIs to manage your app approval process, there will be some changes to the API responses you receive as well as some new parameters that you can send to account for the new concept of outgoing domains that applies to apps deployed to Slack's managed infrastructure.
The following endpoints will now have a domains
field next to the existing scopes
field, as a string array:
A response would look like this:
"scopes": [
{
"name": "app_mentions:read",
"description": "View messages that directly mention @your_slack_app in conversations that the app is in",
"token_type": "bot"
}
],
"domains": ['slack.com'],
Additionally, the following endpoints will now have an optional domains
string array field for including outgoing domains that should be included in the approve or deny request:
If the domains
array is left empty, the method will look up the domains specified by the app.
For developers, the most important thing to know is that you may run into extra steps when deploying your apps. If the administrators of your workspace have enabled Admin-Approved Apps, it means your app requires approval before it can be deployed.
In this case, after you run slack deploy
, a prompt will notify you via the CLI that admin approval is required on this workspace. You'll also be prompted to enter y
or n
to send a request to the workspace administrator for approval to install your app.
Administrators will see which OAuth scopes your app is requesting, as well as which outgoing domains your app is requesting access to. Outgoing domains are specified in the outgoingDomains
array of your apps manifest.ts
file as comma-separated strings. Administrators may also ask for an additional description for your app. If this is enabled, you will be asked to provide that information when you deploy your app using the CLI.
Once you have approval, you'll receive a notification from Slackbot, and you can then deploy your app. If you receive a Slackbot notification that your app was denied, reach out to your workspace administrator.
Finally, if your app needs to request a new OAuth scope or outgoing domain, it will again trigger the approval process above. The existing app installation will continue to function, but the new scope or outgoing domain will not be functional until the app is reapproved and redeployed.
To request approval for an app that uses a connector function requiring admin approval, perform the following steps (Enterprise Grid workspaces only):
Y
. The CLI wil prompt you for a reason; after entering one, an approval request will be created for the admin of the workspace. Running manifest validate
will show that the connector app is now pending approval.N
, the CLI will do nothing, and your app will not be submitted for approval.Have 2 minutes to provide some feedback?
We'd love to hear about your experience building Slack automations. Please complete our short survey so we can use your feedback to improve.