Importing and Exporting Users, Groups, and AppRoles
An identity domain might be one among many repositories in an organization. When you start using identity domains, you might want to load data from the other repositories. Bulk loading offers a solution to this requirement.
Bulk loading automates the process of loading a large amount of data into an identity domain. You can bulk load users, groups, and application roles using the identity domains REST API or the UI. See Transferring Data for more information on bulk loading using the identity domain Console.
To safely handle the export of the CSV file from an identity domain, any cell values that start with the following characters are escaped. This ensures that if a cell value starts with one of these blocklisted values, it's escaped in the CSV, which avoids CSV injection. For example, during export if the value is
@test, the actual value will be '@test'.- At:
@ - Plus:
+ - Minus:
- - Equals to:
= - Pipe:
| - Percentage:
%
'@test', the actual value will be @test.| Operation | Description | Administrator Role Required | More Information |
|---|---|---|---|
| Import Groups | Create groups, modify existing groups, and assign users to groups. |
The identity domain administrator has permissions to trigger the
resource-specific job The user administrator has permissions to trigger the
resource-specific job |
The maximum number of rows in group import file must not exceed 100,000 and import file size must not exceed 52 MB. For best performance, ensure that maximum number of user members per group row in your CSV file doesn't exceed seven. |
| Import Users | Create users and modify existing users. |
The identity domain administrator has permissions to trigger resource-specific job The user administrator has permissions to trigger the
resource-specific job |
The maximum number of rows in user import file must not exceed 100,000 and import file size must not exceed 52 MB You can include a password in unhashed plain text or in hashed
format. Identity domains use {PBKDF2-HMAC-SHA256} by default for
hashing passwords that are provided as a plain text value. Identity
domains support the following crypto algorithms for user import:
Example Hashed Password: See Create a User for details on how to generate a hashed password value. If you want users to use their federated accounts to sign in, then you must set the Federated column to TRUE for those users. When the federated flag is set to TRUE, IAM no longer manages the federated user's password. This prevents IAM from forcing a password change for these imported user accounts. If you don't want users to be notified that the identity domain created accounts for them, then you must set the ByPass Notification column to TRUE for those users. The ByPass Notification flag controls whether an email notification is sent after creating or updating a user. |
| Import Application Role Memberships | Assign users and groups to application roles. |
The identity domain administrator has permissions to trigger the
resource-specific job The application administrator has permissions to trigger the
resource-specific job |
Use of the The maximum number of rows in Application Role Memberships import file must not exceed 100,000 and import file size must not exceed 52 MB. |
| Export Groups | Export groups and group membership. |
The identity domain administrator has permissions to trigger the
resource-specific job The user administrator has permissions to trigger the
resource-specific job |
|
| Export Users | Export users. |
The identity domain administrator has permissions to trigger the
resource-specific job The user administrator has permissions to trigger the
resource-specific job |
|
| Export Application Role Memberships | Export AppRole memberships. |
The identity domain administrator has permissions to trigger the
resource-specific job The application administrator has permissions to trigger the
resource-specific job |
Export AppRole memberships to only a single application. Exporting across multiple applications exports the membership of various AppRoles across all applications. |
Download the Template
Use the following link to download the bulkImportSampleFilesCSV.zip
file: Download the Templates. The
bulkImportSampleFilesCSV.zip file contains CSV templates for
importing users (Users.csv), groups (Groups.csv), and
AppRoles (AppRoleMembership.csv) to an identity domain.
There are many columns provided in the templates. For example, the Federated column (which supports either TRUE or FALSE) indicates whether to mark users that are created as federated. The ByPass Notification column (which supports either TRUE or FALSE), indicates whether an email notification is sent after creating or updating a user.
GET <domainURL>/admin/v1/ResourceTypeSchemaAttributes?filter=resourceType eq "User" and idcsCsvAttributeName pr&attributes=name,idcsCsvAttributeName,idcsDisplayName,description,type,required,canonicalValues,mutability,caseExact,multiValued,idcsMinLength,idcsMaxLength,idcsSearchableSee Transferring Data for more information on bulk loading using the identity domain console.
Example Response
{
"name": "customerId",
"mutability": "readWrite",
"idcsMinLength": 5,
"type": "string",
"idcsSearchable": true,
"idcsDisplayName": "Customer ID",
"description": "Customer Identification Number",
"idcsMaxLength": 30,
"multiValued": false,
"required": false,
"caseExact": true,
"idcsCsvAttributeName": "Customer ID"
}More Information
-
See Importing Using the REST API for the use case on importing user, group, and app role data using the identity domains REST API.
-
See Exporting Using the REST API for the use case on exporting user, group, and approve data using the identity domains REST APIs.