Importing and Exporting Users, Groups, and AppRoles

Oracle Identity Cloud Service may be one among many repositories in your organization. When you start using Identity Cloud Service, you might want to load data from the other repositories. Bulk loading offers a solution to this requirement. Bulk loading automates the process of loading a large amount of data into Oracle Identity Cloud Service. You can bulk load users, groups, and application roles using the Oracle Identity Cloud Service REST APIs or the UI.

The Bulk Loading Data into Oracle Identity Cloud Service section of the Administering Oracle Identity Cloud Service provides more information on bulk loading using the Oracle Identity Cloud Service UI.

Note:

To safely handle the export of the CSV file from Oracle Identity Cloud Service, any cell values that start with the following characters are escaped. This ensures that if a cell value starts with one of these blacklisted values, it is escaped in the CSV, which avoids CSV injection. For example, during export if the value is @test, the actual value will be '@test'.
  • At: @
  • Plus: +
  • Minus: -
  • Equals to: =
  • Pipe: |
  • Percentage: %
During import, if any cell values are escaped, the quotes are removed. For example, during import if the cell value is '@test', the actual value will be @test.
Operation Description Administrator Role Required More Information
Import Groups Create groups, modify existing groups, and assign users to groups.

The Identity Domain Administrator has permissions to trigger the resource specific job GroupImport, and Generic Import for the resourceType of Group.

The User Administrator has permissions to trigger the resource specific job GroupImport.

The maximum number of rows in group import file must not exceed 100,000 and import file size must not exceed 52 MB.

For best performance, it is recommended that maximum number of user members per group row in your CSV file must not exceed seven.

Import Users Create users and modify existing users.

The Identity Domain Administrator: has permissions to trigger resource specific job UserImport, and Generic Import for the resourceType of User.

The User Administrator has permissions to trigger the resource specific job UserImport.

The maximum number of rows in user import file must not exceed 100,000 and import file size must not exceed 52 MB

You can include a password in unhashed plain text or in hashed format. Oracle Identity Cloud Service uses {PBKDF2-HMAC-SHA256} by default for hashing passwords that are provided as a plain text value. Oracle Identity Cloud Service supports the following crypto algorighms for user import:
  • {PBKDF2-HMAC-SHA1}

  • {PBKDF2-HMAC-SHA256}

  • {PBKDF2-HMAC-SHA384}

  • {PBKDF2-HMAC-SHA512}

  • {SSHA}

  • {SSHA256}

  • {SSHA384}

  • {SSHA512}

Example Hashed Password:

{PBKDF2-HMAC-SHA1}10000$T78t/00uHfSr95
czOvVufNLEfkwyBJKdZ0w3bV4wxIg/nb4pvTzvzA==

See Create a User for details on how to generate a hashed password value.

If you want users to use their federated accounts to sign in to Oracle Identity Cloud Service, then you must set the Federated column to TRUE for those users. When the federated flag is set, Oracle Identity Cloud Service no longer manages the federated user's password. This prevents Oracle Identity Cloud Service from forcing a password change for these imported user accounts.

If you don't want users to be notified that Oracle Identity Cloud Service created accounts for them, then you must set the ByPass Notification column to TRUE for those users. The ByPass Notification flag controls whether an email notification is sent after creating or updating a user.

Import Application Role Memberships Assign users and groups to application roles.

The Identity Domain Administrator has permissions to trigger the resource specific job AppRoleImport and Generic Import for the resourceType of Grant.

The Application Administrator has permissions to trigger the resource specific job AppRoleImport.

Use of the resourceType of AppRole for import is not supported.

The maximum number of rows in Application Role Memberships import file must not exceed 100,000 and import file size must not exceed 52 MB.

Export Groups Export groups and group membership.

The Identity Domain Administrator has permissions to trigger the resource specific job GroupExport, and Generic Export for the resourceType of Group.

The User Administrator has permissions to trigger the resource specific job GroupExport.

Export Users Export users.

The Identity Domain Administrator has permissions to trigger the resource specific job UserExport,and Generic Export for the resourceType of User.

The User Administrator has permissions to trigger the resource specific job UserExport.

Export Application Role Memberships Export AppRole memberships.

The Identity Domain Administrator has permissions to trigger the resource specific job AppRoleExport and Generic Export for the resourceType of AppRole.

The Application Administrator has permissions to trigger the resource specific job AppRoleExport.

Export AppRole memberships to only a single application. Exporting across multiple applications exports the membership of various AppRoles across all applications.

Download the Template

Use the following link to download the bulkImportSampleFilesCSV.zip file: Download the Templates. The bulkImportSampleFilesCSV.zip file contains CSV templates for importing users (Users.csv), groups (Groups.csv), and AppRoles (AppRoleMembership.csv) to Oracle Identity Cloud Service.

There are many columns provided in the templates. For example, the Federated column (which supports either TRUE or FALSE) indicates whether to mark users that are created as federated. The ByPass Notification column (which supports either TRUE or FALSE), indicates whether an email notification is sent after creating or updating a user.

To access the complete list of allowed csv column names and their descriptions, use the following request:

GET tenant-base-url/admin/v1/ResourceTypeSchemaAttributes?filter=resourceType eq "User" and idcsCsvAttributeName pr&attributes=name,idcsCsvAttributeName,idcsDisplayName,description,type,required,canonicalValues,mutability,caseExact,multiValued,idcsMinLength,idcsMaxLength,idcsSearchable

Example Response

{
    "name": "customerId",
    "mutability": "readWrite",
    "idcsMinLength": 5,
    "type": "string",
    "idcsSearchable": true,
    "idcsDisplayName": "Customer ID",
    "description": "Customer Identification Number",
    "idcsMaxLength": 30,
    "multiValued": false,
    "required": false,
    "caseExact": true,
    "idcsCsvAttributeName": "Customer ID"
}

More Information

  • See Importing for the use case on importing user, group, and approle data using the Oracle Identity Cloud Service REST APIs.

  • See Exporting for the use case on exporting user, group, and approle data using the Oracle Identity Cloud Service REST APIs.