User Permissions and Roles

A Slack user is mapped to a Salesforce user via the proxy layer that connects Slack to Salesforce. The proxy layer provides authorization and org routing capabilities.

When you connect a Slack app to a Salesforce org, a Slack user can perform activities and tasks that are granted to the corresponding Salesforce user. Actions in Slack apps are run in Salesforce within the user's context and follow the user's access rights.

For example, an approval that's sent from Salesforce is routed directly to the approver on Slack, such as the user with the sales director role. Only this Slack user receives the message in Slack and can approve or reject the request.

In Salesforce, you can control who sees what using these methods:

  • Permission sets and profiles for object-level security
  • Permission sets and profiles for field-level security
  • Sharing settings for record-level security

Slack users don't have roles and permissions like those defined in Salesforce. However, a Slack user has a role with its own permissions and access. See Permissions by role in Slack.

For example, a guest role can be granted permission to send messages and upload files but it can't join a public channel.

Admins can create and assign permissions in Setup on the Permission Sets page. However, if you're distributing your Slack app, it's useful to include a permission to simplify installation and setup for users.

To grant a user access, use the PermissionSet metadata type and create a MyPerms.permissionset-meta.xml file in the force-app/main/default/permissionsets/ directory of your project.

In the metadata file, include the user permissions you want to assign to users. Use one <userPermissions> element for each permission.

The Apex SDK sample app provides an example of defining a permission set. See Sample Apex SDK for Slack App.