Ran our first Slack admin audit. 200 workspace admins. We have 700 employees

Posted by Either-Act-3406@reddit | sysadmin | View on Reddit | 25 comments

Just finished pulling the admin list from Slack for the first time since we migrated to it 4 years ago. 211 workspace admins. Our company has about 700 people.

I started going through them to figure out how it got this way. The pattern is almost always the same. Someone needed to manage a channel or invite a guest. The person they asked said they needed workspace admin to do it. They got workspace admin. Never got removed. Repeat 200 times over 4 years.

The thing is Slack actually has a Channel Manager role that covers most of what these people needed. But apparently nobody told anyone that existed at the time and workspace admin was just the easy button.

Now I need to figure out how to remove admin from 200 people without breaking whatever they were using it for. There is no documentation of why anyone got admin. Most of them probably forgot they have it.

Has anyone done a rollback like this without it becoming a 3 month project? Teams has a similar situation but at smaller scale. I am also starting to wonder how many of these 211 people could just export our entire message history if they wanted to given the data retention settings we have.

[-]

lorigio@reddit

Quickly check the audit logs filtering by those users, you will quickly find which admin actions they took in the latest 1-3 months. If none then remove

helicoptersneeze@reddit

Just yolo it and replace all the admins roles for Channel Manager. You're gonna find out quickly enough what brakes.

theolentangy@reddit

Agree. The fallout could be pretty bad, but doing all that the slow way WILL be pretty bad.

markusro@reddit

The good old scream test. It certainly is tried and true.

topinanbour-rex@reddit

Wrap it with security measure so it will pass.

monedula@reddit

I wouldn't recommend just changing things without any warning. That's how you get users who despise sysadmins. Treat users like people and you improve the chances of them treating you like people.

Start by mailing everyone, telling them you'll be changing most/all people to Channel Manager in X days. Ask if there is anyone who actually needs Workspace Admin rather than Channel Manager and, if so, why. If there are a few who genuinely need it and know why, then you've saved a bunch of annoyance and got yourself some input for documentation. Any others at least got some warning.

wrincewind@reddit

yep - this is the way to do it. it CYA's, makes you seem much more reasonable and approachable to the rest of the company, and only takes x additional days (a week is reasonable, or maybe a month if you suspect a lot of people are taking leave around this time), and takes hardly any extra work from you.

TheModernDespot@reddit

As much as I hate the approach, its probably the only real way through this. 200 people is too many, and you are never going to get anywhere asking each person if they really need access or not. Remove them all and let people specifically request more. I'd bet that most of those 200 absolutely do not need admin access.

Trying to navigate it carefully is how this turns into a 3 month project. Sometimes you've just gotta put your foot down, pave, and rebuild clean.

dustojnikhummer@reddit

And nobody will tell you "Yes, remove my perms"

purplemonkeymad@reddit

You don't ask if they need it, you ask for their justification for having it. If they are clueless or unable to tell you, they get yoinked (get management backing ofc.)

HiKite@reddit

Sounds like an excellent use of a Scream Test!

marvinxtech@reddit

Don't do it, it will cause very troublesome consequences.

Different_Back_5470@reddit

you dont do it in 1 go ofcourse, if you change 20 roles a month you'll be done in a year.

kjeserud@reddit

20 a month? Fuck that, 20 a week. If something breaks hard because of it you'll know very quickly anyway. No need to go a whole month before the next batch.

reni-chan@reddit

Stop being a chicken. That's the kind of stuff you have to do in IT. Most won't notice, some will notice but know they shouldn't have had it and won't speak up, some will speak up but when you tell them to prove they need it they will back off, and you will end up with just a handful of genuine cases.

I used to do scream tests in my previous workplace all the time and never got in trouble. It also helps being a European so I can't be fired for such nonsense.

WD40ContactCleaner@reddit

That's why we YOLO it

Enxer@reddit

Send a communication out to the impacted users stating an audit found them as an admin and we need business justification for that role or your original ask filled into this survey. Lack of action in two weeks means they lose their role and get knocked down to the user role.

Be sure to monitor their elevated actions for those two weeks.

OkEmployment4437@reddit

I’d treat it like a permission cleanup, not a history project. Pull the admin list, map any clearly legit cases first, then announce that workspace admin is being deprecated in favor of Channel Manager/default roles unless someone files an exception by a set date. Do a small pilot with one department, wait a few days, then remove in batches with logging so restores are easy. You’ll catch the real dependencies fast without spending weeks interviewing 200 people about access they probably forgot they had.

TwistyPoet@reddit

The better way of dealing with this politically speaking is moving the business to a new system.

With the new system you get a fresh start to set it up correctly and nobody can bitch about losing their admin rights because that was only a thing on the insecure legacy system. You'll likely have an even easier time selling it if it has some kind of crappy AI feature too.

Note that I'm not suggesting Slack is insecure or bad. It's just easier to deal with implementing a new system then to deal with 211 potential spoiled brats who may spit the dummy to your bosses boss about losing admin access.