7

I'm trying to add a user to a usergroup (and by that trying to use the API call usergroups.users.update)

I'm using a workspace token that has the scope usergroups:write and usergroups:read (complete list: channels:read, channels:write, chat:write, groups:write, im:write, identity:read:user, usergroups:read, usergroups:write, users:read, users:read.email, users.profile:write)

The payload is: 

{"usergroup":"SCGM0xxxx","users":"U5W2Rxxxx"}

(Lower case xxxx to hide identity)

POST from Curl:

POST /api/usergroups.users.update HTTP/1.1

The result from the POST request to usergroups.users.update simply returns 

    {
     "ok" => false
     "error"  => "permission_denied"
     }

The documentation states:

The user does not have permission to update the list of users for a User Group.

Is there any other setting I need to configure to make this work? I have reinstalled the app after changing the oauth scopes. I added both usergroups:read and usergroups:write at the same time and I can use the API call usergroups.list.

Fluff
  • 548
  • 4
  • 8
  • 1
    I am not familiar with the usergroup API, but the error message does not say "missing scope xyz". So its likely that your workspace settings require the admin or owner role for this function and your user may not have that role. – Erik Kalkoken Aug 27 '18 at 10:50
  • True, the user is an app user with a workspace token – Fluff Aug 27 '18 at 13:22

2 Answers2

8

According to slack support:

There’s a workspace preference that limits who can manage user groups. It’s likely that your workspace owners have locked this down. If the token you’re using does not belong to one of the members permitted to manage user groups, you’ll get back the “permission_denied” error. The settings would look like this: User Groups To find a list of workspace Owners you can head to your Account page: https://my.slack.com/account/workspace-settings#admins

Troy Kinsella
  • 128
  • 1
  • 6
  • My first question was what user is the app using? Turns out you get the scope of the installer. So if user group creation is limited to Admins and Owners, if you get an Admin or Owner to install the app, it will allow the app to play with user groups (note you will get a different auth token so make sure to update that too). – theannouncer Jun 19 '19 at 20:18
  • I encountered this as well. My workspace is configured as in the image (which is the default), so only admins/owners can change groups. But a bot token (xoxb-) is not an admin. The solution is have an admin install the bot and then then copy the user token (xoxp-) for use in bearer auth of requests that need to be privileged. It is a weird nexus of factors compared to other API calls that can just use the bot token, but group membership adds people to channels, so it's fairly powerful. – Nathan Williams Aug 21 '23 at 20:19
1

I had the same issue, and I think it's a bug that the workspace token doesn't work. As a workaround, I had the luxury of being able to go into the admin settings and temporarily set the People who can create and disable user groups: Everyone, except guests. That allowed me to proceed with the API calls. Then switched it back.

Denny Regehr
  • 11
  • 1