When a user joins a team, automatically send them a direct message welcoming them and presenting a terms of service they must accept.
To find out when a user joins a team we need a Slack app that's subscribed to the
team_join event being sent out through the Events API. The Events API sends a POST request to a specified URL whenever certain events occur on a Slack team. In the case of
team_join event, Slack will send an event as soon as a new user creates an account on a team. The event will include information about both the team and user. It is sent for bots, guests and full users but with enough information to distinguish between them.
When the app receives a
team_join event, it'll check a database to confirm whether the user has previously accepted the terms as part of this team or any other team within an Enterprise Grid organization. The database stores the user ID, team/enterprise ID, a boolean for whether they've accepted the terms, and date fields for when the message was sent and accepted. If the user has previously accepted the terms, the app will hold off on sending them a message. If they haven't accepted the terms, the app will add the user to the database and send them a DM using the
chat.postMessage API method (which requires the
chat:write:bot scope). The message includes the terms and a message button with the text 'Agree'. To include the button, you'll need to enable Interactive Messages in the app settings and supply a URL where Slack can send the button click event.
When the user clicks the "Agree" button in the message, Slack will send a POST request to the provided Interactive Message request URL. This request will include information about who clicked the button as well as a
response_url that can be used to update the message the user clicked on. When your app receives this event, it'll find and update the record in the database to indicate that the user has agreed to the terms. By sending a request to the
response_url, the app will update the original message to indicate that the terms have been accepted.
All that's left is to occasionally check who has been sent a message but not yet accepted the terms. You can set up a periodic job to either nag users to accept the terms or you can automatically disable their account through our SCIM API.