Skip to main content
Opal’s Slack integration lets you manage access to your Slack user groups (the @-mentionable groups, also called subteams). Once connected, Opal syncs the user groups and members in your Slack workspace and can add or remove members on your behalf. This supports the following, and more:
  • Users can request time-bounded access to your Slack user groups.
  • Reviewers can run access reviews to periodically confirm who has access to each group.
  • All membership changes are tracked in a permanent audit log.
This is separate from the Slack productivity integration, which sends Opal notifications to Slack. The two are configured independently, and you can use either or both.

Requirements

  • You must be an Opal administrator.
  • Be on version 1.1170 or later, if you self-host Opal.
  • You need a Slack app that you can configure and install. You’ll supply its OAuth client ID and secret to Opal.
  • The person who authorizes the connection must be able to install the app and manage user groups in Slack. On Enterprise Grid, you can install the app org-wide to sync every workspace in the grid, or install it in a single workspace.

1. Create a Slack app and bot token

In the Slack API dashboard, create a new app (or use an existing one). Navigate to the OAuth & Permissions section in the Slack app configuration page, and add a Redirect URL that points to Opal, in the format https://<opal_url>/callback/slack-connection. Under OAuth & Permissions, add the following Bot Token Scopes:
ScopePurpose
usergroups:readRead user group definitions
usergroups:writeAdd and remove members from user groups
users:readList workspace members
users:read.emailMatch Slack users to Opal users by email
Then install the app. You can install it to a single workspace, or org-wide on Enterprise Grid. Note the app’s Client ID and Client Secret from the Basic Information page — you’ll enter these in Opal.

2. Create the Slack app in Opal

  1. Go to the Inventory page and click + App.
  2. Select the Slack app.
  3. Fill out the form: enter an App name, select an App admin to own the app in Opal. You can also add an optional Description (shown to people requesting access) and set the app’s Visibility.
  4. Click to create the app.
Then, navigate to the app in the inventory page, and click on the Setup tab. Connect the Slack app by entering its Client ID and Client Secret and completing the one-time Slack OAuth authorization. Opal stores only the resulting access token, not your client secret. Once the app is connected, Opal runs an initial sync to import your Slack users and user groups. You can trigger a sync at any time from the app’s detail page in Inventory by selecting Sync item.
On Enterprise Grid, an org-wide install syncs every workspace in the grid. A single-workspace install syncs only that workspace.

What Opal syncs

  • Users — workspace members that Opal can manage. Opal does not ingest deactivated accounts, bots, app users, the workspace Slackbot, or any user without an email address (Opal needs the email to match Slack users to Opal users).
  • User groups — all user groups in the workspace, along with their members. Each group’s @-handle is shown in its Opal description so you can tell how it’s mentioned in Slack.
Opal can add and remove members from a user group, but does not support nested groups or attaching resources directly to a Slack user group.
Slack automatically disables a user group when its last member is removed, because an enabled user group can’t be empty. When Opal adds a member back to an empty group, it re-enables the group, and Slack briefly re-exposes the group’s previous member list before Opal applies the new one. As a result, those previous members may receive a “you were added to @group” notification from Slack. This is a limitation of Slack’s API.
Last modified on June 16, 2026