Permissions

Overview

As a Workplace system administrator, you can control the capabilities offered to each integration by creating apps and granting them specific permissions. Each app can be named to reflect the service it enables. Apps come with unique access tokens and permissions to control what information is allowed to be read or written by that app.

This guide describes the app and permission model in more detail.

The permission controls when editing a custom integration app

Available Permissions

Each Workplace app can be granted its own set of permissions to control the level of functionality available to it on the Graph API and Account Management API.

When you create an app and grant permissions, those permissions are applied to every account in your community. Account holders don't need to grant additional permissions to the app in order to benefit from its functionality. This differs from the permission model on Facebook, where each user individually grants permissions to an app when logging in.

Below is a full list of the app permissions available to integrations, along with an overview of how they can be used.

PermissionDescription

Read group content

Read posts and comments in selected groups.

read_group

Use this permission when building an integration that fetches all content from selected groups.

If your integration will act as a bot in a group, use the Mention bot permission instead.

Manage group content

Manage posts and comments in selected groups.

write_group

Use this permission when building an integration that posts content to groups, such as a weekly report from an internal service, or a service status notification bot.

Read user timeline

See posts made by group members on their timeline

read_user_feed

Use this permission when building an integration that:

  • Fetches all content from a group member's timeline
  • Subscribes to changes on the status field in the user's profile

Manage user timeline

Post and comment on any group member's timeline

write_user_feed

Use this permission to enable an integration to create or edit a post on a group member's timeline.

Mention bot

Where mentioned in a post, see the post and reply to comments.

bot_mention

Use this permission for building bots in Workplace Groups.

Manage groups

Create, edit or remove selected groups and their members.

manage_group

Use this permission when building an integration that auto-generates groups and populates group members based on org chart structure or project groups.

If an integration with this permission is scoped to specific groups, it won't be allowed to create new groups.

Manage accounts

Provision, update or deactivate accounts via the Account Management API.

manage_accounts

Use this permission for any integration with an account provisioning service, such as identity providers, the Active Directory Sync Tool or a custom Account Management API client.

When you enable this permission, you'll have the option to enable the "Automatically invite people to Workplace as soon as they're added using this integration" permission.

Manage badges

Award badges to people in a Workplace community.

manage_badges

Use this permission to enable an integration to:

  • Award badges to a member
  • Get the list of badges awarded to a member
  • Get the list of available badges

Read user email

See any group member's email address.

read_user_email

This permission allows you to fetch the email account associated with a Workplace user's account.

Read work profile

Read-only access to people's directory information.

read_user_work_profile

Allows an app to fetch people's department, division, organization, primary_address, primary_phone, title, and gender.

Read org chart

Read-only access to people's managers and subordinates.

read_user_org_chart

Allows an app to fetch people's manager(s) and subordinate(s).

Message any member

Send and receive chat messages to and from any member of your community.

message

Use this permission for building bots in Work Chat.

Read all messages

Read chat messages from any member in your community.

read_all_messages

Use this permission to enable a compliance integration that will monitor Workplace Chat usage.

Delete chat messages

delete_messages

Use this permission to enable an app to delete chat messages from a person's conversations, e.g., to implement a retention policy.

Read security logs

Access details of security events, including login attempts and password reset requests.

receive_security_logs

Use this permission to enable a compliance integration that will monitor Workplace Chat usage.

Logout

Log members out from all active sessions

logout

Use this permission to log a user out of Workplace

Create link previews

Rich previews for links shared in Workplace.

link_unfurling

Apps with this permission can generate authenticated previews for links that are shared in Workplace.

Manage Work Profiles

Read and update work profiles in Workplace.

manage_profiles

Apps with this permission combine the reading permissions of read_user_work_profile and read_user_org_chart. Apps with this permission also are able to update account information (e.g.: Name, department, division, title, organisation, phones)

Provision User Accounts

Provision accounts in Workplace.

provision_accounts

Apps with this permission can provision, deactivate and delete (unclaimed) Workplace accounts. This permission also allows updates to the active, email, name, hire_date, and invited member's fields.

Read group membership

List the members of a group and list the groups that a user is a member of

list_group_members

Apps with this permission can query the list of members of a particular group. Furthermore, it is possible to list the groups that a user is a member of.

Manage Knowledge Library content

Create, edit and delete important company information in Knowledge Library

manage_knowledge_library

Apps with this permission can create and modify content within Knowledge Library. Use this permission to enable an integration to:

  • Creat/Update/Delete a category
  • Create subcategories within a category
  • Update photos/videos/files to a category
  • Create/Update/Delete a quicklink

Read Knowledge Library content

Read important company information in Knowledge Library

read_knowledge_library

Apps with this permission can access content from Knowledge Library. Use this permission to enable an integration to:

  • Get the list of categories
  • Get content for a specific category
  • Get the list of quicklinks

Export employee data

Export the list of current employees and their activity data in a CSV format.

export_employee_data

Apps with this permission can schedule a data export job which generates a CSV file listing all Workplace users. The CSV also includes data on the user, as well as information on their recent use of Workplace features.

Group Chat Bot

Enabling bots to interact in group chat.

bot_group_chat

Apps with this permission will enable them to interact with members in a Group Chat. Use this permission to enable an integration to create or manage a multi-person group chat.

This permission is dependent on message permission.

Manage Surveys

Create, update, delete and read survey configuration

manage_surveys

Apps with this permission can create, update, delete and read survey configuration.

Read surveys

Read surveys configuration and receive webhook updates related to surveys

read_surveys

Apps with this permission can read surveys configuration and receive webhook updates related to surveys.

Read surveys

Read surveys configuration and receive webhook updates related to surveys

read_surveys

Apps with this permission can read surveys configuration and receive webhook updates related to surveys.

Read People Sets

Read People Sets

read_people_sets

Apps with this permission can See Dynamic People Set configuration and subscribe to updates related to people sets

Manage people sets

Manage people sets

manage_people_sets

Apps with this permission can create, update and delete people sets in the Workplace community

Read important posts

Read important posts

read_important_posts

Allows the integration to read information about the important post promotions – both currently active and expired.

Manage important posts

Manage important posts

manage_important_posts

Allows the integration to mark group posts as important, making them appear on top of the feed, and allows to stop the important post promotion prematurely.

Remove profile information

Remove personal information for a deactivated user.

remove_profile_information

Allows the integration to remove profile fields such as name and profile image from deactivated users on Workplace.

Group-Level Permissions

For some permissions, it's possible to limit an integration to be enabled on specific groups. This allows you to scope an integration's access to just the content you want to expose.

For example, you can allow an alert-posting integration to post only in a team's own group, or enable an employee app integration to read content only in specific open groups.

To specify group-level permissions for a custom integration, use the Group Access panel in the Edit Integration dialog.

Enabling group level permission for this integration.

Group-level permissions apply to the following permissions:

  • Read group content - Read posts, comments and member profiles in selected groups
  • Manage group content - Manage posts and comments in selected groups
  • Manage groups - Edit or remove selected groups and their members

You can configure an integration such that group-level permissions can be applied to either All groups, Specific groups as chosen by a system administrator, or Let group admins enable for their groups.

Admin Install Flow

When Let group admins enable for their groups is enabled, an admin of a group will see a new Integrations tab under the Manage Group screen, allowing them to enable the integration on their group.

An example app which can now be enabled by the group admin.

App Tokens & Usage

When you create a new app for Workplace, an access token is generated for use with the Graph API, Account Management API, or Webhooks.

This access token will only be shown once, so it's important to store the token securely for later usage in code.

The token reset flow for a custom integration app

Workplace app tokens never expire, and do not need to be refreshed unless they have been manually reset. If you edit the permissions available to a given app, the existing token will still work, and you won't need to generate a new token.

If you ever need to invalidate a token, you can reset the token via the Reset Access Token button in the Edit App dialog. A new token will be generated and displayed, and the existing token will be immediately invalidated.

Token Security

Access tokens are powerful. They grant access to your company's data on Workplace. When creating an app, consider the minimal set of permissions necessary to complete the integration features, and don't grant any unnecessary permissions.

When storing tokens or adding them to code repositories, great care should be taken to ensure that they aren't shared with the wrong people.

Never commit production access tokens into public code repositories.

You must store and use your API Credentials only in your own server environment and ensure that these values are never copied or transmitted elsewhere, e.g., to mobile apps or web browser clients.

To add an additional layer of security for integrations, you should add an IP whitelist, which will restrict token usage to servers only on the whitelisted list of IP addresses.

Adding an IP whitelist to restrict token usage to specified servers and requiring App Secret Proof

Automatic removal of unused permissions

If a custom integration makes no calls using a particular permission for 30 days, that permission will be removed. After this has happened once for a custom integration, an option will be available to stop this removal process.

If a valid webhook subscription has been set up, the webhooks sent by this count as a use of the relevant permission.

Controls for automatic removal of permissions

App Secret Proof

Access tokens for Workplace don't expire. Custom integrations can require an app secret proof to add an additional layer of security. Enabling the 'Require App Secret Proof' option ensure that API calls are only ever made from server-side code, an expiring app-secret proof will be required along with a the access token when making API calls.

To generate an expiring app-secret proof, you'll need to concatenate the token with a unix timestamp, separated by a pipe symbol |, then create a SHA-256 hash of the concatenated string, using your app secret as the key. Here's an example in PHP:

$appsecret_proof = hash_hmac('sha256', $access_token.'|'.time(), $app_secret); 

Some Operating Systems and programming languages will return a timestamp that is a float. Be sure to convert to an integer value before calculating the app-secret proof. Some programming languages create the hash as a digest object. Be sure to express the hash as a hexadecimal object.

To make API calls with your app-secret proof, pass the generated hash via the appsecret_proof parameter, along with the appsecret_time set to the timestamp you used when hashing the app secret, along with your access token.

GET https://graph.facebook.com/v2.9/community/groups?
&access_token={access-token}
&appsecret_proof={appsecret_proof}
&appsecret_time={appsecret_time}

Time-stamped app secret proofs will be considered expired after 5 minutes, so it's recommended that you generate a new proof in-line when making each Graph API call.

Exploring API Functionality with Postman

Postman is a widely used tool for working with web APIs. You may find it convenient to explore the Workplace API using Postman, but the $appsecret_proof parameter presents a complication - since this value must be calculated and expires after five minutes, it would simplify matters if Postman could generate the value at request time. In fact Postman can do so using its Prerequests Scripts & Params features. This script can be used as a starting point:

// Add to Postman's Pre-request Script Tab
var access_token = "replace-me";
var app_secret = "replace-me";
var time = (new Date().getTime()/1000|0);
postman.setEnvironmentVariable("access_token", access_token)
postman.setEnvironmentVariable("appsecret_time", time);
postman.setEnvironmentVariable("appsecret_proof", CryptoJS.HmacSHA256(access_token + '|' + time, app_secret));
1) Create an active environment (there isn't one by default), then 2) add these three parameters, which are calculated by your pre-request script.