Prevent others from changing our Custom Integrations Incoming WebHooks configuration

Question

We have created a Custom Integrations Incoming WebHooks configuration so that we can post notification from our CI pipeline into our slack channel. This works great so far, but today a colleague accidentally broke it by changing the target channel. Fortunately, there was a notification about this in our channel ("removed an integration from this channel: incoming-webhook"), so we were able to revert this quickly. But things would have been worse if the colleague only had regenerated the webhook URL... Naturally, we'd like to avoid this.

So, I am wondering if it is possible to restrict write access to our Incoming WebHooks configuration?

There seems to be a restriction if the target channel is private ‒ but I'd prefer that we can leave our channel public.

Answer 1

Incoming Webhooks count as Apps and the permission to modify them can be restricted to members with certain roles in the Slack workspace settings.

Most Slack admins will restrict access to managing apps to owners only and give that critical role to a few trusted members only.

If your incoming webhooks are Internal integrations and not Slack apps, then restricting them can be a problem. A solution would be to embed the incoming webhooks in a regular Slack app, which can be restricted.

Answer 2

Today I got a response from Slack support, and they say that they don't have a fine-grained permission model for controlling access to specific configurations. The only options are "everyone can change the configuration" or "only one person can edit the configuration".

The "only one" option is enabled by changing the "Post to Channel" property to a private channel (or direct message). Note that this doesn't mean that the configuration is restricted to the specified channel. Custom Integrations Incoming WebHooks allow the sender to override the channel, so the configuration may still be used to post to public channels.