Slack

Authentication & Authorization

Credentials

• Slack connects via OAuth 2.0 with Authorization Code Grant Flow.

• DataGrail owns a Slack OAuth 2.0 App that provides the credentials to authenticate customers allowing the integration to connect by simply logging into their Slack account with their admin credentials and accepting to install the app.

• Slack OAuth tokens do not expire. If they are no longer needed, they can be revoked.

Scopes

Slack API requires specific user scopes that need to be approved by the customer in order to grant DataGrail read on certain objects necessary to complete privacy requests:

• search:read – search a workspace’s content;

• channels:history – view messages and other content in public channels that your slack app has been added to;

• channels:read – view basic information about public channels in a workspace;

• team:read – view workspaces details your slack app is connected to.

• users:read – view people in a workspace

• users:read.email – view email addresses of people in a workspace

Depending on the Slack product plan, customers may connect DataGrail integration in “Workspace App” or “Enterprise Grid” mode with a different OAuth scopes. In the “Enterprise Grid” mode DataGrail integration requests additional scopes for accessing System Detection endpoints:

• app_mentions:read – view messages that directly mention “@your_slack_app” in conversations that the app is in;

• admin.apps:read – view apps and app requests in a workspace.

When the DataGrail Slack app asks for OAuth scopes, they are applied to user tokens. User tokens represent the same access a user has to a workspace – the channels, conversations, users, reactions, etc. they can see.

Endpoints Utilized

• Request authorization:

  • GET https://slack.com/oauth/v2/authorize

• Get and refresh access token:

  • POST https://slack.com/api/oauth.v2.access

• Validate that credentials are good based on a successful response:

  • POST https://slack.com/api/auth.test

• List the workspaces a token can access.

  • GET https://slack.com/api/auth.teams.list

Limits

• DataGrail supports requests throttling to stay within 70-80% of specified service rate limits.

• DataGrail processes API responses with HTTP 429 status to interrupt requests, waiting and retrying (using an exponential backoff strategy).

Access

For an access request, DataGrail will take the following actions:

• Search user by the data subject email address, if both scopes users:read and users:read.email are present.

  • If scopes are present and user is found, do the following:

  • List the workspaces a token can access.

    • For each of collected workspace:

    • Search for messages and files containing data subject email,

    • Search for messages and files containing data subject user ID.

  • If no required scopes or user wasn’t found, do the following:

  • List the workspaces a token can access.

    • For each of collected workspace:

    • Fetch the public channels list.

    • Search for messages and files containing data subject email.

    • Filter search by public channels list.

    • Filter false positives.

• For all objects found, DataGrail will return a list of collected fields. Customer can edit which objects and fields he wants to provide to the Data Subject via our Portal Requests.

Endpoints Utilized

• GET https://slack.com/api/users.lookupByEmail

• GET https://slack.com/api/auth.teams.list

• POST https://slack.com/api/conversations.list

• POST https://slack.com/api/search.all

Deletion

DataGrail supports the Direct Contact Deletion workflow for Slack.

System Detection

System Detection functionality is accessible only in the “Enterprise Grid” mode. DataGrail reads apps and app requests in Slack workspace to detect new systems added.

• Source: represents SaaS service that sends data into Slack.

• Destination: represents SaaS service that receives data from Slack. Destinations are linked to Sources.

Endpoints Utilized

• POST https://slack.com/api/admin.apps.approved.list