The new Slack platform and the features described below are in beta and under active development.
Beginner

Platform permissions control for admins

These next generation features to the platform introduce a number of powerful features, which an organization might not want to grant to everyone. As part of the broader access controls available to administrators, these features include the ability to gate access to specific groups or people.

Permission to deploy apps

By default, only workspace owners and administrators can deploy apps. However, specific users and usergroups can be authorized in your Workspace settings. Administrators can also grant this permission to any non-guest team member.

To modify a workspace's app deployment permissions:

  1. From inside your Slack workspace, click your workspace name in the top left.
  2. Select Settings & administration from the menu, then click Workspace settings.
  3. Click the Permissions tab.
  4. In the Slack Platform Beta section, click Expand.
  5. Choose an option from the radio buttons. Optionally include specific users and groups by adding their IDs, separated by commas.
  6. Click Save.

Have 2 minutes to provide some feedback?

We'd love to hear about your experience with the new Slack platform. Please complete our short survey so we can use your feedback to improve.

Admin Approved Apps

If a workspace has Admin Approved Apps (AAA) enabled, apps will need to be approved by an administrator (as set in your workspace settings) before it can be deployed.

Workspace owners and administrators cannot run slack deploy to deploy apps when a workspace has admin-approved apps turned on, but an app running locally with slack run can be installed in a workspace with Admin Approved Apps enabled.

When a developer deploys an app, administrators will receive a notification, either from Slackbot or using the Admin Approved Apps API workflow, as determined by your organization. The approval notification will include which OAuth scopes the app is requesting as well as any outgoing domains an app may want to access.

Outgoing domains are a new concept and apply only to apps that run on Slack. These are domains the app may require access to — for example, if a developer writes a function that makes a request to an external API, they will need to include that API in their outgoing domains. Administrators can now approve or deny apps based on these defined outgoing domains, in the same way they would OAuth scopes.

Access controls for developers

For developers, the most important thing to know is you may run into extra steps when trying to deploy your apps. If the administrators of your workspace have enabled Admin Approved Apps, it means your app will need to be approved before it can be deployed.

Administrators will see which OAuth scopes your app is requesting as well as which outgoing domains your app is requesting access to. Outgoing domains are specified in the outgoingDomains array of your apps manifest.ts file and should be comma-separated strings.

Administrators may also optionally ask for an additional description for your app. If this is enabled, you will be asked to provide that information when you deploy your app, using the CLI.

Once an admin has approved your app, you will receive a notification from Slackbot and will be able to deploy. If your app is denied, you will need to reach out to your workspace administrator.

Finally, if your app needs to request a new OAuth scope or outgoing domain, it will trigger a new approval. The existing app installation will continue to function, but the new scope or outgoing domain will not be functional until the app is approved.

Changes to the Admin Approved Apps APIs

If you are using the Admin Approved Apps APIs to manage your app approval process, there will be some changes to the API responses you receive as well as some new parameters you can send to account for the new concept of outgoing domains that applies to apps that run on Slack.

The following endpoints will now have a domains field next to the existing scopes field, as a string array:

A response would look like this:

"scopes": [
  {
    "name": "app_mentions:read",
    "description": "View messages that directly mention @your_slack_app in conversations that the app is in",
    "token_type": "bot"
  }
],
"domains": ['slack.com'],

Additionally, the following endpoints will now have an optional domains string array field for including outgoing domains that should be included in the approve or deny request:

If the domains array is left empty, the method will look up the domains specified by the app.