Introduction
The Slack connector for Glean allows Glean to fetch and index content from Slack, ensuring that users can search and access documents they have authorized permissions.
Authentication: Glean requires authentication to the Slack instance in order to fetch relevant information from Slack and Authentication is done by creating the Glean app in Slack.
Webhooks: Glean creates a custom app for each customer, which ensures that webhooks are sent directly to each customer's cloud project after it is installed by the Slack admin
Data Storage: All data is stored in the cloud project within the customer's cloud account, ensuring no data leaves the customer's environment
API Usage
Standard API: Glean uses Atlassian’s standard API for Slack to ingest all data
Integration Features
Content Captured:
Conversations in public channels (messages, threads, the channel itself)
Files shared in public channels
Private channels/DMs (enabled on a per-user basis & can be disabled by the admin)
Permissions Enforcement: Glean respects all user access permissions, ensuring users only see search results for documents they have access to. When a user clicks on a search result, they are taken to the Slack web application, which enforces the permission.
Versions Supported
There are no specific version limitations Slack or Slack Enterprise Grid for the Slack connector
Objects Supported
The Slack connector supports the following objects:
Conversations in public channels (messages, threads, the channel itself)
Files shared in public channels
Private channels/DMs (enabled on a per-user basis & can be disabled by the admin)
Authentication Mechanism
Connector credentials requirements
The Slack connector for Glean requires specific permissions to function correctly.
Glean requires authentication to the Slack instance to fetch relevant information.
Workspace Admin-level permissions are required for setup and configuration.
Glean understands all user access permissions and strictly enforces them at the time of the query, ensuring that users cannot see results to which they do not have access.
It’s important to note that all data is stored in the cloud project in the customer's cloud account, and no data leaves the customer's environment.
Glean only requires READ-level permissions to view your data, and write scopes are only necessary when a chatbot (Gleanbot) will be responding in channels.
Private Message Authorization
Glean provides the ability to crawl and utilize private Slack messages in search and chat. Each user must authorize Glean in https://app.glean.com/settings/datasources. Private messages can only be viewed by the authorized user.
Write Scopes for Gleanbot in Slack Discussion
For the Gleanbot to respond in channels, the Glean Slack connector requires certain write scopes to enable its functionality within Slack. Here is an explanation of each write scope and why it is needed by Glean:
chat:write: This scope allows the Gleanbot to send messages in channels and direct messages. It is essential for the bot to communicate with users, provide responses, and interact within the Slack workspace.
chat:write.public: This scope is similar to chat:write but specifically allows the bot to post messages in public channels. It ensures that the bot can participate in public conversations and provide information or assistance as needed.
im:write: This scope allows the bot to send direct messages to users. It is necessary for the bot to initiate private conversations, provide personalized assistance, and respond to user queries in direct messages.
reactions:write: This scope enables the bot to add reactions to messages. It is useful for the bot to acknowledge messages, provide feedback, or interact with users in a non-verbal manner.
links:write: This scope allows the bot to create and manage Slack app links. It is important for the bot to share links to resources, documents, or other relevant information within the Slack workspace.
These write scopes are necessary for Glean to fully integrate with Slack and provide a seamless user experience. They enable the bot to interact with users, share information, and perform various actions within the Slack environment.
Authentication scope requirements
The Slack connector crawls per-workspace. Companies on an Enterprise Grid plan can make use of the Slack Enterprise Grid connector, which crawls across all workspaces by default.
Glean recommends creating their own app. Admins will authorize their custom app to crawl their workspace.
Enterprise Grid uses a Slack central app. Admins authorize the central app to crawl their full enterprise (all workspaces) by default. This uses the single scope discovery:read (Slack Discovery APIs).
Connection Instructions for Slack
Required permissions for setup
The user setting up this data source must be a Slack Workspace Owner or Slack Workspace Admin. You can check whether you have this permission using this slack guide.
We recommend using or creating a service account for your Slack integration, so that you may control your personal slack results separately from the admin account
Installation Process
Open Slack on web.
Look for your workspace name in the top left. Click your workspace name and find the Slack URL in the menu, ending in .slack.com. The domain is the portion before .slack.com, e.g. if the URL is yourdomain.slack.com, the domain would be yourdomain. Enter the domain in Glean.
The URL you’re on should be of the form app.slack.com/client/T12345678. Copy this last part of the URL and paste it into Glean as the workspace ID. Note the workspace ID will start with
T.
Create an app
Visit the Slack API site and click Create New App.
Choose From an app manifest.
Select the same workspace you chose on the previous screen and click Next.
Replace existing YAML comment with the following and click Next.
_metadata:
major_version: 1
minor_version: 1
display_information:
name: Glean
description: Searches across all your apps
background_color: "#343ced"
features:
app_home:
home_tab_enabled: true
messages_tab_enabled: true
messages_tab_read_only_enabled: false
bot_user:
display_name: Glean
always_online: true
shortcuts:
- name: Create an Answer in
type: message
callback_id: create_answer
description: Create a new answer in Glean
- name: Create Announcement in
type: message
callback_id: create_announcement
description: Create a new announcement in Glean
slash_commands:
- command: /glean
url: https://scio-prod-be.glean.com/slack/command
description: Searches across all your apps
usage_hint: "[query]"
should_escape: false
unfurl_domains:
- glean.com
oauth_config:
redirect_urls:
- https://scio-prod-be.glean.com/slack/oauth
- https://scio-prod.askscio.com/slack/oauth
- https://scio-prod-be.askscio.com/slack/oauth
scopes:
user:
- links:read
- mpim:read
- pins:read
- reactions:read
- stars:read
- team:read
- users.profile:read
- users:read
- users:read.email
- channels:read
- channels:history
- groups:history
- mpim:history
- files:read
- groups:read
- im:read
- im:history
bot:
- app_mentions:read
- channels:history
- channels:read
- chat:write
- chat:write.public
- commands
- groups:history
- groups:read
- im:history
- im:write
- links:read
- mpim:history
- mpim:read
- reactions:write
- users:read
- links:write
settings:
event_subscriptions:
request_url: https://scio-prod-be.glean.com/slack/events
user_events:
- channel_created
- channel_deleted
- channel_history_changed
- channel_left
- channel_rename
- channel_unarchive
- file_change
- file_created
- file_deleted
- file_shared
- file_unshared
- group_deleted
- group_history_changed
- group_left
- link_shared
- im_created
- im_history_changed
- member_joined_channel
- member_left_channel
- message.channels
- message.groups
- message.im
- message.mpim
- team_join
bot_events:
- app_home_opened
- app_mention
- link_shared
- message.im
- team_join
interactivity:
is_enabled: true
request_url: https://scio-prod-be.glean.com/slack/interaction
org_deploy_enabled: false
socket_mode_enabled: false
token_rotation_enabled: falseClick Create.
Generate a token
Click the Basic Information tab and scroll down until you see App-Level Tokens.
Click Generate Token and Scopes.
Name the token: Glean
Click Add Scope and add the scope
authorizations:read.Click Generate and paste the token into Glean.
Add an icon
Click the Basic Information tab.
Download this logo.
Click Choose File and select the logo you just downloaded above
Connect to Glean
Click the Collaborators tab and add at least one additional administrator from your company.
Copy and paste the following fields from Basic Information into Glean: Client ID, Client Secret, Signing Secret.
Go to OAuth & Permissions from the left navigation and click Install to Workspace.
Click Create Authorization Link and follow the generated link. If the authorization succeeds, you’re all set!
Connection Instructions for Slack Enterprise Grid
Required permissions for setup
The user setting up this data source must be a Slack Org Owner or Slack Org Admin. You can check whether you have this permission using this slack guide.
Other prerequisites
Verify that your Organization is on a Slack Enterprise plan.
Enable the Discovery API for your Organization if you have not already:
You can email exports@slack.com requesting enablement or reach out to your AE, as they should be able to take care of this for you
Option1: Setup For GleanBot (Recommended)
This is recommended. If decide not to set this up then leave the three inputs blank in the Glean setup page and proceed to Setup for Glean Enterprise App for Search.
Create an app
Visit the Slack API site and click Create New App.
Choose From an app manifest.
Select a workspace where you'd like to install the app and click Next.
Replace existing YAML comment with the following and click Next. %manifest%
Click Create.
Add an icon
Click the Basic Information tab.
Download this logo.
Click Choose File and select the logo you just downloaded above.
Connect App to Glean
Click the Collaborators tab and add at least one additional administrator from your company.
Go to OAuth & Permissions from the left navigation and click Install to Workspace.
Click on Manage distribution and select Distribute App
Go to Enable Org-Wide App Installation and click Opt into Org Level Apps and Opt-In
Go to Install App and copy the Bot User OAuth Token and paste into Glean setup page.
Go to Basic Information and copy the Signing Secret and paste into Glean setup page.
Generate a token
Click the Basic Information tab and scroll down until you see App-Level Tokens.
Click Generate Token and Scopes.
Name the token: Glean
Click Add Scope and add the scope authorizations:read.
Click Generate and paste the token into Glean.
Follow the steps listed in the section below to add Glean app to multiple workspaces (if required).
Optional to set up the Glean Bot in multiple workspaces
Navigate to the management console for your Slack Enterprise Grid organization.
Click on Integrations and Installed apps in the left navigation.
On the right side of the page, click on the ... next to the Glean app and you will see the option to Add to more workspaces.
Option2: Setup for Glean Enterprise App for Search (Required for Search)
Follow this if you don't need the Gleanbot and just need the ability to search for slack messages in Glean. This will install the app "Glean Enterprise".
Generate an OAuth token
Follow the authorize link below and follow the on-screen instructions. You will see a page with the option to Allow the access scopes for our app on your workspace:
The scopes on the screen read-only, and are necessary as follows:
Administer Slack for your organization: equivalent to "read all", used to index messages in your organization for search. This is used rather than the individual read scopes to allow for better performance, admin search, and data-loss prevention.
Follow the steps listed in the Optional to set up the GleanBot in multiple workspaces (section above to add Glean app to multiple workspaces, if required).
Slack Socket Mode
Customers can use the WebSocket URL to establish communication with the Glean app as an alternative to using an HTTP Request URL
Steps:
Have customers enable Socket Mode on their Glean slack app in the app config under the socket mode section
In settings/Basic Information, add a new app-level token with both connections:write and authorizations:read scope.
Re-auth the Gelan Slack app with the new token generated
Contact your Glean representative to complete the configuration
Items crawled
Content Indexed
Conversations in public channels (messages, threads, the channel itself)
Files shared in public channels
Private channels/DMs (enabled on a per-user basis & can be disabled by the admin)
Identity
Users: Information about users within Slack
Groups: Details about groups within Slack
The identity crawl operates with the following configurations:
Incremental Identity Crawls: These are performed to capture changes since the last crawl.
Full Identity Crawls: These are conducted periodically to ensure all identity data is up-to-date.
Activity
Slack has webhooks. The Slack connector is dependent on webhooks for the most responsive changes. These webhooks include:
Channel membership addition/deletion (within the hour)
Channel modification (e.g. public -> private channel changes fully processed within two hours)
File/message tombstoning (e.g. removal of file/message if detected by DLP policies)
New/edited messages coming in
Slack Enterprise Grid Crawling Updates
Slack Enterprise Grid crawls via regular activity crawls and full crawls.
Activity crawls detect all new/edited/deleted messages across all channels, and run every ten minutes.
Full crawls are comprehensive as a form of redundancy to ensure all data is covered. These run in the background every 30 days.
Slack Enterprise Grid runs regular identity crawls for public/private workspace/channel memberships.
Rate Limits
Most Slack APIs are tier 3, implying we get 0.83 QPS to crawl new/edited messages and memberships.
Webhooks are limited to 30,000 events delivered per hour, per workspace.
See Slack API rate limits for more information.
Update frequency
Content updates for the Slack connector in Glean can happen quite rapidly, depending on the type of update and the configuration settings. Here are the key areas:
Activity Reports: Adds, updates, and permissions changes are crawled every 5 minutes via Webhooks. This means that any new files, modifications to existing files, or changes in sharing permissions are detected and processed quickly.
People / Identity Crawls: The identity crawl, which runs every hour, picks up changes to group memberships. This ensures that any updates to user groups and their permissions are reflected promptly.
Incremental Crawls: These occur every 3 hours to provide additional reliability beyond the minute-by-minute activity reports.
Full Crawls: The frequency of full crawls can be configured, but they are generally less frequent than incremental crawls at 28 days
For the most up-to-date crawler refresh information, please refer to [External] Glean crawling strategy
How the crawl works
The Slack crawler follows the traditional crawler strategy including utilizing the Slack API and the following ways to get and update data:
Identity Crawl: updating and adding People data including users, groups, and other information
Activity Crawl: Adds, updates, and permissions changes to content
Webhooks: are messages sent by the application to notify Glean of changes in real-time and then Glean either initiates crawl or picks up the change on the next crawl
Content Crawls: Full crawls the entire defined scope of the application whereas incremental crawls only capture the changes from the previous full or incremental crawl.
All messages (including edits) are also crawled both incrementally and through full crawls. These run in the background and can take several days.
Known Limitations in Crawl
Private messages only appear once individual users who want to crawl the data have authorized the Slack integration.
These features are currently unsupported:
The Slack Enterprise Application should have an allowlist of IPs, which the customer can constrain on the Slack Enterprise application itself, to extract tenant-specific data from an endpoint.
Multiple instances of Slack Enterprise Grid per Glean instance
Scopes Required + API Endpoints
The Glean connector for Slack requires specific permissions to ensure seamless indexing and accurate search results. These permissions serve distinct purposes:
Message Access: Permissions are utilized to read messages from the Slack API, enabling Glean to index them and make them searchable.
User Information: Permissions are required to read user information within the Slack workspace. This is essential for accurately assigning permissions to messages. For instance, even for messages in public channels, Glean ensures that only users within the Slack workspace can search for and access those messages.
Message Metadata: Permissions are used to read metadata such as links, reactions, and pins. This information helps determine a message's significance, which is then factored into the ranking and ordering of search results within Glean.
By leveraging these permissions, Glean ensures both robust functionality and strict adherence to Slack’s access control policies.
Note: These refer to User Token Scopes.
Scope | API Endpoints | Purpose |
Read links shared in the messages. We use this as part of our calculation when ranking the documents returned in search. | ||
Read a list of multi-person direct messages. | ||
Read pinned messages. We use this as part of our calculation when ranking the documents returned in search. | ||
Read reactions to messages. We use this as part of our calculation when ranking the documents returned in search. | ||
Read reactions to messages. We use this as part of our calculation when ranking the documents returned in search. | ||
Read the name and icon of the workspace. | ||
Read user profiles to understand the role and department of the user in the workspace. | ||
Read the members of the slack workspace. | ||
Read user emails so that we can identify which Glean user matches which Slack user. | ||
Read a list of the public channels in the workspace. | ||
Read messages in public channels. | ||
Read messages in private channels so that you can search for these messages in Glean. | ||
Read messages in multi-person direct messages so that you can search for these messages in Glean. | ||
Read files shared in the conversation so that you can search for these files in Glean. | ||
Read a list of private channels in the workspace. | ||
| Read a list of direct messages in the workspace. | |
Read messages in direct messages so that you can search for these messages in Glean. |
Content Configuration
Note: If Inclusion (Green-Listing) options are enabled, only content from the Inclusion category will be indexed. If Exclusion (Red-Listing) options are enabled, all content in the exclusion category will be removed. If both rules are applied to the same content, then the content will NOT be indexed, as exclusion rules take priority.
The rules below should be used MINIMALLY to preserve the enterprise search experience, as most end-users expect to find all content. Most customers do not apply any rules or apply exclusion rules sparingly for sensitive folders.
There may be a delay before the system fully reflects these changes. Furthermore, customers can hide the relevant documents if access has been inadvertently granted to an individual. For detailed guidance on using the “Hide” functionality via CSV upload, please refer to How to Hide Documents via CSV Upload article.
Exclusion (Red-Listing) Options
Exclusion is a useful feature if there are specific Slack channels that should not be crawled and indexed by Glean. This function can be enabled for both public and private channels. Please contact Glean Support to process the rule change for a channel or channel list to be excluded.
Inclusion (Green-Listing) Options
Inclusion permits a more controlled onboarding of Slack channels, which is helpful for organizations needing a more measured approach. Please contact Glean Support to process the inclusion rule change.