Platform permissions control for admins

As part of the broader access controls available to administrators, administrators can ensure only approved apps are installed and available to users.

Permission to deploy apps

By default, only workspace owners and administrators can deploy apps. However, specific users and usergroups can be authorized in your workspace settings. Administrators can also grant this permission to any non-guest team member.

To modify a workspace's app deployment permissions:

  1. From inside your Slack workspace, click your workspace name in the top left.
  2. Select Settings & administration from the menu, then select Workspace settings.
  3. Click the Permissions tab.
  4. In the Slack Platform Beta section, click Expand.
  5. After agreeing to the terms, choose an option from the radio buttons. Optionally include specific users and groups by adding their IDs, separated by commas.
  6. Click Save.

Admin-Approved Apps

If a workspace has Admin-Approved Apps enabled, apps will need to be approved by an administrator (as set in your workspace settings) before they can be deployed.

Workspace owners and administrators cannot run slack deploy to deploy apps when a workspace has Admin-Approved Apps turned on, but an app running locally with slack run can be installed in a workspace with Admin-Approved Apps enabled.

When a developer deploys an app, administrators will receive a notification, either from Slackbot or using the Admin-Approved Apps API workflow as determined by your organization. The approval notification will include which OAuth scopes the app is requesting, as well as any outgoing domains the app may want to access.

Outgoing domains are a new concept, and apply only to Run On Slack apps. These are domains the app may require access to β€” for example, if a developer writes a function that makes a request to an external API, they will need to include that API in their outgoing domains. Outgoing domains do not constrain which ports on those domains a function can communicate with. Administrators can now approve or deny apps based on these defined outgoing domains, in the same way they would OAuth scopes.

Changes to the Admin-Approved Apps APIs

If you are using the Admin-Approved Apps APIs to manage your app approval process, there will be some changes to the API responses you receive as well as some new parameters that you can send to account for the new concept of outgoing domains that applies to Run On Slack apps.

The following endpoints will now have a domains field next to the existing scopes field, as a string array:

A response would look like this:

"scopes": [
  {
    "name": "app_mentions:read",
    "description": "View messages that directly mention @your_slack_app in conversations that the app is in",
    "token_type": "bot"
  }
],
"domains": ['slack.com'],

Additionally, the following endpoints will now have an optional domains string array field for including outgoing domains that should be included in the approve or deny request:

If the domains array is left empty, the method will look up the domains specified by the app.

Access controls for developers

For developers, the most important thing to know is that you may run into extra steps when deploying your apps. If the administrators of your workspace have enabled Admin-Approved Apps, it means your app will need approval before it can be deployed.

In this case, after you run slack deploy, a prompt will notify you via the CLI that admin approval is required on this workspace. You'll also be prompted to enter y or n to send a request to the workspace admin for approval to install your app.

Administrators will see which OAuth scopes your app is requesting, as well as which outgoing domains your app is requesting access to. Outgoing domains are specified in the outgoingDomains array of your apps manifest.ts file as comma-separated strings. Administrators may also ask for an additional description for your app. If this is enabled, you will be asked to provide that information when you deploy your app using the CLI.

Once you have admin approval, you'll receive a notification from Slackbot, and can then deploy your app. If you receive a Slackbot notification that your app was denied, reach out to your workspace administrator.

Finally, if your app needs to request a new OAuth scope or outgoing domain, it will again trigger the approval process above. The existing app installation will continue to function, but the new scope or outgoing domain will not be functional until the app is reapproved and redeployed.

Have 2 minutes to provide some feedback?

We'd love to hear about your experience building modular Slack apps. Please complete our short survey so we can use your feedback to improve.