Permissions

Overview

As a Workplace system administrator, you can control the capabilities offered to each integration by creating apps and granting them specific permissions. Each app can be named to reflect the service it enables. Apps come with unique access tokens and permissions to control what information is allowed to be read or written by that app.

This guide describes the app and permission model in more detail.

The permission controls when editing a custom integration app

Available Permissions

Each Workplace app can be granted its own set of permissions to control the level of functionality available to it on the Graph API and Account Management API.

When you create an app and grant permissions, those permissions are applied to every account in your community. Account holders don't need to grant additional permissions to the app in order to benefit from its functionality. This differs from the permission model on Facebook, where each user individually grants permissions to an app when logging in.

Below is a full list of the app permissions available to integrations, along with an overview of how they can be used.

PermissionDescription

Read group content

Read posts and comments in selected groups.

read_group

Use this permission when building an integration that fetches all content from selected groups.

If your integration will act as a bot in a group, use the Mention bot permission instead.

Manage group content

Manage posts and comments in selected groups.

write_group

Use this permission when building an integration that posts content to groups, such as a weekly report from an internal service, or a service status notification bot.

Report content

Report inappropriate posts and comments.

report_content

Allows the app to report posts for admins to review directly via the Graph API by making a POST to the

/community/reported_content

edge.

Apps can report content, but moderation can only be done by a person that has the Community Admin role.

Read user timeline

See posts made by group members on their timeline

read_user_feed

Use this permission when building an integration that:

  • Fetches all content from a group member's timeline
  • Subscribes to changes on the status field in the user's profile

Manage user timeline

Post and comment on any group member's timeline

write_user_feed

Use this permission to enable an integration to create or edit a post on a group member's timeline.

Mention bot

Where mentioned in a post, see the post and reply to comments.

bot_mention

Use this permission for building bots in Workplace Groups.

Manage groups

Create, edit or remove selected groups and their members.

manage_group

Use this permission when building an integration that auto-generates groups and populates group members based on org chart structure or project groups.

If an integration with this permission is scoped to specific groups, it won't be allowed to create new groups.

Manage accounts

Provision, update or deactivate accounts via the Account Management API.

manage_accounts

Use this permission for any integration with an account provisioning service, such as identity providers, the Active Directory Sync Tool or a custom Account Management API client.

When you enable this permission, you'll have the option to enable the "Automatically invite people to Workplace as soon as they're added using this integration" permission.

Read user email

See any group member's email address.

read_user_email

This permission allows you to fetch the email account associated with a Workplace user's account.

Read work profile

Read-only access to people's directory information.

read_user_work_profile

Allows an app to fetch people's department, division, organization, primary_address, primary_phone, title, and gender.

Read org chart

Read-only access to people's managers and subordinates.

read_user_org_chart

Allows an app to fetch people's manager(s) and subordinate(s).

Impersonate account

Post and comment in groups and read messages on behalf of any user.

Use this permission for making posts on behalf of users.

Impersonate tokens can only be retrieved for accounts that were claimed.

Message any member

Send and receive chat messages to and from any member of your community.

message

Use this permission for building bots in Work Chat.

When this permission is enabled, you'll be able to enable the "Allow this integration to work in group chats" permission.

Read all messages

Read chat messages from any member in your community.

read_all_messages

Use this permission to enable a compliance integration that will monitor Workplace Chat usage.

Delete chat messages

delete_messages

Use this permission to enable an app to delete chat messages from a person's conversations, e.g., to implement a retention policy.

Read security logs

Access details of security events, including login attempts and password reset requests.

receive_security_logs

Use this permission to enable a compliance integration that will monitor Workplace Chat usage.

Logout

Log members out from all active sessions

logout

Use this permission to log a user out of Workplace

Create link previews

Rich previews for links shared in Workplace.

link_unfurling

Apps with this permission can generate authenticated previews for links that are shared in Workplace.

Group-Level Permissions

For some permissions, it's possible to limit an integration to be enabled on specific groups. This allows you to scope an integration's access to just the content you want to expose.

For example, you can allow an alert-posting integration to post only in a team's own group, or enable an employee app integration to read content only in specific open groups.

To specify group-level permissions for a custom integration, use the Group Access panel in the Edit Integration dialog.

Enabling group level permission for this integration.

Group-level permissions apply to the following permissions:

  • Read group content - Read posts, comments and member profiles in selected groups
  • Manage group content - Manage posts and comments in selected groups
  • Manage groups - Edit or remove selected groups and their members

You can configure an integration such that group-level permissions can be applied to either All groups, Specific groups as chosen by a system administrator, or Let group admins enable for their groups.

Admin Install Flow

When Let group admins enable for their groups is enabled, an admin of a group will see a new Integrations tab under the Manage Group screen, allowing them to enable the integration on their group.

An example app which can now be enabled by the group admin.

App Tokens & Usage

When you create a new app for Workplace, an access token is generated for use with the Graph API, Account Management API, or Webhooks.

This access token will only be shown once, so it's important to store the token securely for later usage in code.

The token reset flow for a custom integration app

Workplace app tokens never expire, and do not need to be refreshed unless they have been manually reset. If you edit the permissions available to a given app, the existing token will still work, and you won't need to generate a new token.

If you ever need to invalidate a token, you can reset the token via the Reset Access Token button in the Edit App dialog. A new token will be generated and displayed, and the existing token will be immediately invalidated.

Token Security

Access tokens are powerful. They grant access to your company's data on Workplace. When creating an app, consider the minimal set of permissions necessary to complete the integration features, and don't grant any unnecessary permissions.

When storing tokens or adding them to code repositories, great care should be taken to ensure that they aren't shared with the wrong people.

Never commit production access tokens into public code repositories.

You must store and use your API Credentials only in your own server environment and ensure that these values are never copied or transmitted elsewhere, e.g., to mobile apps or web browser clients.

To add an additional layer of security for integrations, you should add an IP whitelist, which will restrict token usage to servers only on the whitelisted list of IP addresses.

Adding an IP whitelist to restrict token usage to specified servers and requiring App Secret Proof

Automatic removal of unused permissions

If a custom integration makes no calls using a particular permission for 30 days, that permission will be removed. After this has happened once for a custom integration, an option will be available to stop this removal process.

If a valid webhook subscription has been set up, the webhooks sent by this count as a use of the relevant permission.

Controls for automatic removal of permissions

App Secret Proof

Access tokens for Workplace don't expire. Custom integrations can require an app secret proof to add an additional layer of security. Enabling the 'Require App Secret Proof' option ensure that API calls are only ever made from server-side code, an expiring app-secret proof will be required along with a the access token when making API calls.

To generate an expiring app-secret proof, you'll need to concatenate the token with a unix timestamp, separated by a pipe symbol |, then create a SHA-256 hash of the concatenated string, using your app secret as the key. Here's an example in PHP:

$appsecret_proof = hash_hmac('sha256', $access_token.'|'.time(), $app_secret); 

Some Operating Systems and programming languages will return a timestamp that is a float. Be sure to convert to an integer value before calculating the app-secret proof. Some programming languages create the hash as a digest object. Be sure to express the hash as a hexadecimal object.

To make API calls with your app-secret proof, pass the generated hash via the appsecret_proof parameter, along with the appsecret_time set to the timestamp you used when hashing the app secret, along with your access token.

GET https://graph.facebook.com/v2.9/community/groups?
   &access_token={access-token}
   &appsecret_proof={appsecret_proof}
   &appsecret_time={appsecret_time}

Time-stamped app secret proofs will be considered expired after 5 minutes, so it's recommended that you generate a new proof in-line when making each Graph API call.

Exploring API Functionality with Postman

Postman is a widely used tool for working with web APIs. You may find it convenient to explore the Workplace API using Postman, but the $appsecret_proof parameter presents a complication - since this value must be calculated and expires after five minutes, it would simplify matters if Postman could generate the value at request time. In fact Postman can do so using its Prerequests Scripts & Params features. This script can be used as a starting point:

// Add to Postman's Pre-request Script Tab
var access_token = "replace-me";
var app_secret = "replace-me";
var time = (new Date().getTime()/1000|0);
postman.setEnvironmentVariable("access_token", access_token)
postman.setEnvironmentVariable("appsecret_time", time);
postman.setEnvironmentVariable("appsecret_proof", CryptoJS.HmacSHA256(access_token + '|' + time, app_secret));
1) Create an active environment (there isn't one by default), then 2) add these three parameters, which are calculated by your pre-request script.