Consider Security and User Needs

Learning Objectives

After completing this unit, you’ll be able to:

Organize an app security and governance team.
Determine if an app meets your organization’s needs and security policies.
Identify preapproved apps for deployment across Slack.
Standardize a process for reviewing, approving or denying apps.

Find the Best Approach

Two hands working to solve a puzzle cube; the hand on the left sits atop a yellow sleeve and the hand on the right is coming out of a blue sleeve.

Should decisions be made top-down, that is, set by Org Admins and Owners to apply across all workspaces in the organization? Or is it better to have a bottom-up approach, so that workspace admins are responsible for making decisions in their respective workspaces?

Each organization will have a different approach to decision making—and many organizations use a hybrid approach where some decisions are made top-down and others are made bottom-up.

Assemble an App Security and Governance Team

Assemble a team to help determine guiding principles for approving or rejecting apps. Clear guardrails to enable admins and app managers to make smarter decisions more efficiently.

First, identify the stakeholders who should be involved in the collaboration process. This mix of individuals will differ for each organization, but there are certain roles and responsibilities that we recommend you consider when putting together a governance team. Keep in mind that app management is often one part of the core team that manages Slack.

Roles to consider include:

Executive Sponsor—Owner of Slack at the organization providing vision and responsible for ongoing Slack adoption and maturity.
Product Owner—Provides oversight of resources, policies, and processes needed to support Slack, and owns the product roadmap.
Owners/Admins—Responsible for org- and workspace-level admin of Slack, including approval processes, such as app requests.
Champions—Business unit leaders or reps along with the IT/Helpdesk and the IT Security Team who are consulted in the decision making process.
Employee Enablement—Help upskill end users or relay impact to their Slack experience.

Communication within the governance team can exist via Slack channels such as #admin-slack or #governance-slack for ongoing day-to-day collaboration. These types of designated private channels, where admins and other relevant security or IT team members are included, serve as ideal destinations for app requests.

Additionally, we recommend a regular governance team cadence for ongoing reinforcement—such as a quarterly or annual policies and settings review and user support model review to gauge the efficacy of your current strategy.

Determine Your App Governance Decision Flow

As we mentioned above, there are different approaches to app governance. Your organization can enable end users to install apps on their own, make bottom-up decisions by admins, top-down decisions by admins or take a hybrid approach. Let’s define these methods and look at hybrid approaches through the eyes of an Enterprise Grid account Admin.

Bottom-Up—Apps are installed on individual workspaces and managed by different Workspace Admins across an org.
Top-Down—Apps are installed at the Org level by an Org Admin and access is granted to specific workspaces.
Hybrid—This common approach can occur depending on the type of workspaces in an org. For example, org-wide apps can be installed across workspaces and have a less restrictive policy; while specific workspaces handling more sensitive content can have a more restrictive policy or certain apps just aren’t available.
Self-Service—End users can install preapproved apps or, depending on policies and settings, have access to only install apps from the Slack App Directory. This approach can be used with any of the previous methods we’ve reviewed.

Consider the following when you put together your app management decision making plan.

What are the most common apps in your organization or workspace? Consider having these preinstalled or preapproved to minimize admin overhead.
Who will be making app governance decisions? Will it be admins, IT, the security team, end users or a combination of these folks? Will they sit at the org or workspace level?
Will certain workspaces require significantly different app policies or settings compared to others?
Will app policies differ depending on channel types? For example, will you deploy stricter security policies for Slack Connect channels as compared to those for internal channels?

Determine If Apps Meet Your Needs

Scopes are a set of permissions that govern what an app can do and access when installed to a Slack workspace. Understanding the scopes of an app is critical to knowing if that app aligns with your organization’s security policies. Approve or restrict apps based on permission scopes.

The scopes of an app depend on the kinds of things it was built to do. Generally, apps can do three things in Slack.

View information
Post Information
Perform actions

If an app developer changes the scopes of an app after it was installed to your workspace, members may need to request the app again so that someone with permission can review the new scopes. If an app manager restricts an app’s new scopes, members can continue using the existing version of the app, but cannot install or use the update. If you don't want users to access the existing version of the app you'll need to uninstall it.

You’ll see a detailed list of permissions for each app in the Slack App Directory. These lists will help you decide whether you should approve or restrict an app’s use. In the example image you can see what permissions the Salesforce app has in Slack and what actions it can take.

Ability to view:
- Content and information about the user
- Content and info about the channels & conversations
- Content and info about the workspace
Ability to:
- Perform actions as the user
- Perform actions in channels & conversations
- Perform actions in the workspace

Permissions can also be viewed in app requests that post to Slack.

The Salesforce app page in the Slack App Directory. The Permissions tab has been selected, displaying what the Salesforce app can view and do in Slack.

Consider the following when deciding whether an app should be installed in your workspace.

What scopes will the app request to function in your workspace? Generally, an app will ask permission to post messages, perform actions, and read information.
What information will the app access in Slack (such as member profiles, channel names, messages or files)?
What actions can the app take with the information it accesses (like post messages, modify content or create channels)?
Does the requester have a valid business reason for using the app?
Are alternative apps already being used for the same purpose?
How long is the app required in the workspace?
What is the app’s privacy policy?
How often will the app post (you don’t want to spam your teammates)?
Is the app software license already procured for use within your organization?

Additionally, remember to always consult and consider your organization’s security and data compliance policies to make sure your Slack app governance policies align with your company-wide guidance.

Preapproving apps goes a long way toward reducing admin overhead.

Identify Apps to Preapprove

Apps that are already being used in your organization should be preapproved or preinstalled to reduce friction for your team. If your team depends on a popular app like Salesforce, Jira, Dropbox, Zoom, Google Calendar or Outlook Calendar, make sure to at least preapprove the app from the Slack App Directory.

Workspace Owners can enable the Approve apps setting for a workspace to control how and what is installed. By default, only Workspace Owners can manage apps. However, with the Approve apps setting turned on, Owners can allow selected members to manage approved apps and respond to app installation requests.

Review, Approve, or Deny Apps

Keep the app approval process within Slack to expedite requests and have any needed information accessible to your admins and end users.

A typical process for approving apps includes:

Deciding which apps can be preapproved to install either by your admins or your end users.
Members should then be able to go to the Apps section of their workspace to browse and search for apps currently approved. If the desired app is on the list, they can install it.
If the app does not show up, then members can request app approval from admins through several ways:
- Users can find the app in the Slack App Directory and send a request from the app page, which will then post the request into a channel or DM for admins.
- Users can request help in a Slack channel that's admin monitored by updating their status (red, blue, or white dots, for example). This is a more manual, labor-intensive method for admins.
- Users can request help in a Slack channel via workflows, which are then automatically rerouted to appropriate admin groups. This method is less labor-intensive for admins. We describe how you can set this in unit 1.
- Users can request apps via IT ticketing. By using this method, your users leave Slack to submit requests, and you need to consider where to include your Slack admins within your IT support team's resolution process.
- Users can request apps via IT ticketing, which is then managed via a Slack API. This method requires custom work from your dev team, and users still need to leave Slack to submit requests, but their requests are routed and managed automatically by the API integration.

Employees attempting to communicate with each other via different computer screens.

Here are some best practices for the app approval process.

Determine how your approach to app requests can align to your company’s overarching data and security policies.
Develop a seamless process with clear ownership of each step to determine guiding principles for app reviews.
Instead of having multiple apps with similar purposes, focus on the apps that work best for your organization and make it easy for your team members to discover them.
Document and socialize an app governance and process flow with respective stakeholders (Admin, Owners, IT Security, Helpdesk) and end users so they know where to initiate any app related requests and where to go for help. Some practical applications might include:
- Create and socialize an FAQ document—if people already know what they might or might not be allowed to install, you’ll get better requests. For example, if you’ve decided to restrict any permissions as absolute no-gos, let your users know and let them know why.
- Pin FAQs and helpful guides in the respective #help-slack, #request-apps, or #plz-apps channels along with expected response times
After aligning on an app governance process, enforce the process and maintain effective communication across requesters and approvers.

Drive Discovery of Approved Apps

To increase efficiency and reduce security risks, minimize the repetition of similar apps. For example, your company may not need three polling apps if they serve a similar use case.

Evaluate and identify an app that works best for a specific use case—then recommend to employees to use that particular app, unless there’s a business need for a similar app.

We find that users request apps because they’re searching for a solution and might not know what’s already available. Slack has a dedicated Apps page—accessible from the left sidebar—where users can find apps that are already installed in their workspace (Scroll to Apps section | click Apps | Manage | Browse apps). Direct users to this page and give them a chance to get familiar with approved apps before requesting new ones.

In the next unit, we walk through the nuts and bolts of managing apps in Slack.

Resources

Slack API: Permission scopes

도움말 검색