User Permissions and Roles

A Slack user is mapped to a Salesforce user via the proxy layer that connects Slack to Salesforce, which provides authorization and org routing capabilities.

In Salesforce, you can control who sees what using these methods:

  • Permission sets and profiles for object-level security
  • Permission sets and profiles for field-level security
  • Sharing settings for record-level security

Slack users don't have roles and permissions like those defined in Salesforce. However, a Slack user has a role, each with its own permissions and access. See Permissions by role in Slack.

For example, a guest role can be granted permission to send messages and upload files but they cannot join any public channel.

Actions in Slack apps are run in Salesforce within the user's context and follow the user's access rights.

When you connect a Slack app to a Salesforce org, a Slack user can perform activities and tasks that are granted to the corresponding Salesforce user. For example, an approval that's sent from Salesforce is routed directly to the approver on Slack, such as the user with the sales director role. Only this Slack user receives the message in Slack and can approve or reject the request.

Admins can create and assign permissions in Setup on the Permission Sets page. However, if you are distributing your Slack app, it's useful to include a permission to simplify installation and setup for users.

To grant a user access, use the PermissionSet metadata type and create a MyPerms.permissionset-meta.xml file in the force-app/main/default/permissionsets/ directory of your project.

In the metadata file, include the user permissions you want to assign to users. Use one <userPermissions> element for each permission.

The Apex SDK sample app provides an example on defining a permission set. See Sample Apex SDK for Slack App.