Slack Permissions Scopes for the Halp Slack App

In order to use Halp, the Slack App needs to be installed by a Slack Admin in your organization. When installing the Slack App, we request access to a series of different permission scopes that enable different functionality. By default, Halp requests the minimum scopes needed for all product functionality. Depending on the security needs of your organization, certain scopes can be excluded and functionality can be limited.

Halp recently upgraded to the latest version of the Slack API. This means during authorization of the Halp Slack App, we are using Granular Bot Permissions. You can read more about Granular Bot Permissions here.

In this document, we outline the different Slack permission scopes requested by our App and what functionality they enable. If you'd like to limit the scopes in your Halp installation, please email support@halp.com.

With granular bot permissions, there are two different types of scopes the Halp app requests. Bot Token Scopes, and User Token Scopes.

channels:history, channels:join, channels:read scope

πŸ”’This scope can be reduced to bot only πŸ”’

Details

The channels:history scope is requested as both a Bot scope and a User scope. The channels:join and channels:read scopes are requested as a Bot scope. The bot scope gives access to messages in public channels and information about the channels where the bot has been invited but does not allow access to messages from before the bot was invited. The user scope gives access to public channels where the bot has not been invited as well as historical messages in public channels from before Halp was installed.

Impacts of reducing the permission scope

The channels:history scope can be limited to only a bot scope. The result will be that tickets cannot be created with an emoji in channels where the bot has not been invited, and for public channels tickets can only be made with an emoji from messages sent after the bot has been invited - similar to how private channels work. The Slack Action will still be available to create tickets anywhere in Slack.

im:history, im:read, im:write scope

πŸ”’This scope can be reduced to bot only πŸ”’

Details

The im:history scope is requested as both a Bot scope and a User scope. The im:read and im:write scopes are requested at Bot scopes. The Bot scopes give us access to direct messages between users and the bot. The user scope gives access to direct messages between Agents in Halp and other users in Slack. With this scope enabled, Agents can use an emoji to turn messages from coworkers in DMs into trackable tickets.

Impacts of reducing the permission scope

The im:history scope can be limited to only a bot scope. The result will be that Agents will not be able to use an emoji in direct messages to create a ticket. The Slack Action can still be used to make tickets from direct messages.

mpim:history, mpim:read, mpim:write scope

πŸ”’This scope can be removed completelyπŸ”’

Details

The mpim:history, mpim:read, and mpim:write scopes are requested a Bot scope. The Bot scope gives access to group messages between users and the bot. The user scope gives access to group messages between Agents in Halp and other users in Slack. With this scope enabled, Agents can use an emoji to turn messages from coworkers in group DMs into trackable tickets.

Impacts of removing the permission scope

The mpim scopes can be removed. The result will be that Agents will not be able to use an emoji in group messages to create a ticket. The Slack Action can still be used to make tickets from group messages.

groups:history and groups:read scope

πŸ”’This scope can be reduced to bot only πŸ”’

Details

The groups:history scope and groups:read scope is requested as a Bot scope. The Bot scope gives access to messages in private channels where the bot has been invited, but only to messages, as well as the name of the channel. With this scope enabled, Agents can use an emoji to turn messages from coworkers in private channels into trackable tickets.

chat:write and chat:write:customize scope

πŸ”’This scope can be reduced to bot only πŸ”’

Details

The chat:write scope is requested as a User scope and a Bot scope. The chat:write:customize scope is requested as a Bot scope. The Bot scope allows Halp to post messages and update the icon to match the face of the Agent/Requester, or use a custom Halp icon. The user scope gives access to send and delete messages from Agents in Halp - not all users in Slack. With this scope enabled, Halp can edit and delete messages from agents when they are modified or erroneous, as well as move tickets between different triage channels for escalations or re-assignments.

Impacts of reducing the permission scope

The chat:write user scope can be excluded. The result will be that deleting/editing messages won't be reflected everywhere and tickets may not be able to move between channels.

commands scope

πŸ”’This scope can be removed completely πŸ”’

Details

The commands scope is requested as a Bot scope. The commands scope enables the addition of the /helpdesk, /halp, /support slash commands, as well as the Slack Action.

Impacts of removing the permission scope

The commands scope can be excluded. The result will be that tickets cannot be made via slash commands or Slack Actions, only via emojis.

reactions:read and reactions:write scope

πŸ”’This scope can be reduced to bot only πŸ”’

Details

The reactions:read and reactions:write scope are requested as a User and Bot scope. The bot scope gives access to emoji reactions in DMs and channels where the bot is not invited. The user scope gives access to emoji reactions anywhere in Slack. With this scope enabled, emojis can be used to create a ticket anywhere in Slack, and emoji reactions sync between threads.

Impacts of reducing the permission scope

The reactions scopes can be limited to only a bot scope. The result will be that the emoji reaction cannot be used in channels the bot has not been invited to.

team:read, users.profile:read, users:read, users:read.email scope

🚫These scopes cannot be removed 🚫

Details

The team:read, users:read, users.profile:read, and users:read:email scope are requested as a bot scope. These scopes enable Halp to set the requester name and email when a new ticket is created. These scopes cannot be removed.

files:read and files:write

πŸ”’This scope can be removed completely πŸ”’

Details

The files:read scope is requested as a Bot scope and a User scope. The files:write scope is requested as a bot scope. The files scopes enable users to create tickets out of files, as well as for files added to tickets to be posted to the appropriate Slack threads.

Impacts of removing the permission scope

The commands scope can be excluded. The result will be that users cannot make tickets out of files, and files added to tickets will not post to Slack messages.

workflow.steps:execute

πŸ”’This scope can be removed completely πŸ”’

Details

The workflow.steps:execute scope is requested as a Bot scope. This scope lets an app Add steps that people can use in Workflow Builder. This feature is still an early beta feature and will be released to the public soon.

Impacts of removing the permission scope

You will not have access to the upcoming workflow step feature from Halp.

workflow.steps:execute

πŸ”’This scope can be removed completely πŸ”’

Details

The workflow.steps:execute scope is requested as a Bot scope. This scope lets an app Add steps that people can use in Workflow Builder. This feature is still an early beta feature and will be released to the public soon.

Impacts of removing the permission scope

You will not have access to the upcoming workflow step feature from Halp.

app:mentions.read

πŸ”’This scope can be removed completely πŸ”’

Details

The app:mentions.read scope is requested as a Bot scope. This scope lets Halp know when the Halp bot is mentioned in a channel that it is in. This scope is used for an upcoming beta feature.

Impacts of removing the permission scope

You will not have access to an upcoming @mention feature.

identity.basic & identity.email

🚫These scopes cannot be removed 🚫

Details

The identity.basic and identity.email scope is requested as a Bot scope. These scopes allow users to authenticate into the Halp web platform.


How did we do?


Powered by HelpDocs (opens in a new tab)