Get Started with Slack and Identity Management
Learning Objectives
After completing this unit, you’ll be able to:
- Explain how Slack plans impact your company’s identity and access management (IAM) strategy.
- Explain how Slack roles impact your company’s identity and access management (IAM) strategy.
- Describe fundamental IAM principles and solutions that Slack supports.
- Align with your company's key decision makers to develop the best IAM strategy for your company’s user lifecycle and security process.
Control Identity and Access with Slack
Slack provides admins and security managers with identity and access controls to meet the needs of every company. In this module, you get familiar with these features, learning a few best practices along the way. This starts with Slack plans and roles.
Understand How Slack Plans and Roles Affect Identity and Access
When you understand the options surrounding user lifecycle management at Slack, you can give thoughtful input to decision makers and better execute the process for your members. Each Slack plan and the role you support will require special consideration.
Know Your Slack Plan
Slack offers three paid plan types, Pro, Business+, and Enterprise Grid. The Pro and Business+ plans include a single Slack workspace designed for small and medium-size companies. The Enterprise Grid plan powers multiple connected Slack workspaces designed for larger companies, or those in regulated industries.
Your identity and access management (IAM) strategy depends on your organization's Slack plan.
For example, organizations on the Slack Business+ plan can choose to enable single sign-on (SSO) rather than using Slack stored credentials. However, SSO is mandatory on the Enterprise Grid plan.
You can learn more about Slack plans and how they affect IAM through the resources at the end of this unit.
Know the Slack Roles
In Slack, every person has a role, each with its own level of permissions and access. Slack roles are either administrative or nonadministrative.
- Administrative roles are designed for people responsible for managing accounts and settings in Slack. For example, Org Owners can control organization level policies and settings that affect all workspaces, whereas Workspace Owners only have this control on a single workspace.
- Nonadministrative roles let people work in Slack and access key features. For example, members of a legal department may be given the compliance admin role to allow them to create and manage legal holds.
Given the variety of roles and options available among the different Slack plans, it's helpful to know the capabilities and parameters of each role so you can better align your IAM strategy with your existing company policies. You can get the details through the resources at the end of this unit.
As an example, there is an added layer of administration unique to Slack Enterprise Grid. As Enterprise Grid powers multiple interconnected Slack workspaces across a company, a role can sit at either the org- or workspace-level. On an Enterprise Grid plan, Org Level Owners manage identity across all workspaces within Enterprise Grid, whereas Workspace Admins typically manage identity across the sole workspace on non-Grid plans.
Here’s a handy table that breaks it down.
Who | Can manage ... |
---|---|
Org Owner, Org Admin |
Can manage all org policies and decide which ones to pass on to workspace owners. |
Workspace Owner, Workspace Admin |
Can manage all workspace policies including changing a Workspace Member’s display name. |
All Members |
Can manage personal settings and any policies for which the Workspace Admin has allowed user customization. |
Get to Know IAM Concepts and Tools
Identity and access management (IAM) is the overarching discipline for verifying a user’s identity and their level of access to a particular system. Both authentication and access control—which regulates each user’s level of access—play critical roles in securing data.
Implement identity and access controls that fit your use case, such as using your identity provider (IdP) or enabling mandatory multifactor authentication (MFA) for your users.
Single sign-on (SSO) is a system that enables users to securely authenticate (sign in) with multiple applications, websites and services, through one login and one set of credentials. With SSO, the application or website that the user is trying to access relies on a trusted third party to verify that users are who they say they are.
With Slack, many Workspace Owners on the Pro and Business+ plans choose to set up single sign-on (SSO) authentication rather than Slack stored credentials for an extra layer of security. By default, organizations on the Enterprise Grid plan authenticate users via SSO.
System for Cross-domain Identity Management (SCIM), is an open standard that allows for the automation of user provisioning. SCIM communicates user identity data between identity providers and service providers requiring user identity information.
With Slack, SCIM provisioning enables Slack Org Owners (on Enterprise Grid) and Workspace Owners (on Business+) to manage members more efficiently. Systematically create or deactivate a member, sync and update members’ profile fields from their IdP to Slack, and provision multiple users in bulk. On Enterprise Grid, SCIM can also create or delete IdP groups and add or remove members from those groups.
Align IAM with Your Organization’s Systems and Processes
Before jumping in and configuring identity management and access control in Slack, first align on how your company manages employee life cycles, access and permissions, and other policies that streamline and protect your company’s work.
Consider your company's current employee onboarding process and security policies and ensure the process around getting users access to Slack is consistent with other tools that your organization uses.
Know Your Company's Employee Onboarding Process
Align with key decision makers at your company who manage the employee onboarding and offboarding process, such as human resources (HR) or information technology (IT). Ask questions like:
- What human resources information system (HRIS), if any, acts as the system of record of employees?
- How does our identity provider get updated with information about a new employee?
- Is there an integration between the HRIS or active directory with our identity provider to automatically synchronize those systems?
- Do users request access to applications or is application access provided to them?
- How is application access revoked during offboarding?
- On Enterprise Grid, when there are multiple workspaces, how do we ensure users are being provisioned with access to workspaces relevant to them?
Know Your Company's Security Policies
Align with your IT administrators to determine existing security policies by asking questions like:
- How long can application sessions last before users are required to reauthenticate?
- What are our multifactor authentication requirements?
- How are security groups managed in our identity provider?
Once you have a deeper understanding of your organization’s onboarding and security policies, you’ll be better equipped to identify the right authentication and identity options in Slack.