The fact slack doesn't allow you to lock down name changes must be such a gaping security hole for big companies.
Change your name to the CEO, and profile image to match. Odds of people noticing the difference are extremely small until it's too late.
Changing to slackbot seems like small fry!
Bigger companies use SAML or other federation that makes it impossible to login without a corporate authentication.
Presumably with SAML/SSO you can still change your slack display name and profile picture?
Negative, that comes from Azure AD, or Cognito, or Keycloak, or whatever.
The users name, email, phone, location, avatar pic, department, etc all comes over in the SAML payload.
This is not correct in general. My job uses SSO and I can change my Slack name.
It is correct, your company just messed up somewhere...
Eh, that’s a matter of opinion on policy. Technically (at least with Slack) it is possible to require SSO for users and control over which profile attributes they can change themselves, including display name. Although they may get clobbered at login as part of reading the SAML doc.
Just because you can, doesn’t mean you should - and in fact is a security hole if you do. We don’t allow security holes where I work so all attributes are copied over and nothing can be changed. No hidden employees. No unknown guests.
In our case we can not change the Slack display name, but we can change the @ handle. Pretty good compromise IMO.
Not slack, we use teams at work and I have very limited ability to do anything, can't change my name and we have profile pics disabled.
The data only comes during the sign-in flow. If you want to change it dynamically outside of that, it's typically done via SCIM.
For anyone curious, we wrote a blog post all about this. https://workos.com/blog/the-developers-guide-to-directory-sy...
(I work at WorkOS.)
Uh, it does allow that in the organization settings. Also the SAML/SSO comment below as well. If you can change names, IT admins are either non-existent or just being lazy.
My company allows name changes. It’s fun.
That means they're not using SAML/SSO which sounds absolutely crazy to me, unless you only have like a dozen users. The implication is that your IT team doesn't take security seriously. Not because you can change names, but because they aren't implementing identity policies.
you can very much allow people to change display names while using saml/sso. My work setup allows this. We can change photo and description as well but nothing else.
Same here.
Eh, a lot of startups even in the 100-200 employee range are still manually inviting Slack members. It's not really the end of the world as long as you're on top of things and have good communication between HR, IT, etc. Spreadsheets solve a lot of problems (in this case, having a good template offboarding/onboarding spreadsheet in Google drive that everyone can collaborate on to make sure stuff gets done quickly).
Or it’s just a more relaxed atmosphere? Not everything needs to be corporate no-fun serious business 24/7.
We’re on an enterprise Slack instance with >1000 members and SSO/SAML. Changing names and photos allows us to be fun and everyone trusts everyone else to not spoil the party.
Mine does too, to allow people to copy their pronouns from the boring “pronouns” field into the most conspicuous possible place (inside their actual name), for maximum virtue signaling.
Name changes can be locked; I'm in an Enterprise Grid org and our display names/usernames are synced against our employee profile. We're also required to SSO every single time we launch the desktop app so once you're terminated you're definitely not getting back in (they deactivate accounts very quickly too, so mobile is likely not a major concern).
Basically the only thing you can change without filing a ticket is your picture and some mostly-irrelevant freetext fields.
How does an enterprise chat tool not have the ability to invalidate all session tokens and all connected clients to disconnect?
Perverse incentives. People are paying them already without that feature, so why bother? They are incentivized to do and provide as little as possible.
https://api.slack.com/methods/admin.users.session.invalidate ?
At the same time the ability to change name is sich a godsend.
We're currently abusing it to have presence info straight in the display name (e.g. mike-2/12~16vac.) to let anyone contacting us what to expect for response times, or wether to ask for a task if it's a few days before a planned vacation.
Nobody seemed to look at the actual status property and it beats going to the calendars to check.
Looks like mike-2 is a robot powered by a doorbell transformer.
He'd probably be fine with that perception.
In MS Teams, your name is from AD and you almost certainly don't have permission to change that. Also, bots have hexagonal avatar frames while humans have circular ones. I'm not sure how many people notice, though.
I’m pretty sure this is one reason why my firm recently removed people’s ability to change their name on our videoconferencing system.