User Role Import App
You can automatically import user roles into Atlan from a CSV file. This app streamlines user management by allowing administrators to bulk-assign roles such as Admin, Member, or Guest, reducing manual effort and ensuring consistent access control.
The User Role Import app enables you to keep access rights aligned with organizational requirements, especially during onboarding or bulk updates. It reads a provided CSV file and applies the roles defined for each user.
Configuration
This section defines the fields required for workflow setup.
Workflow name
Specifies a unique and descriptive name to identify the workflow configuration in the Atlan interface. This name appears in the workflow list and helps distinguish it from other governance workflows.
Example:
atlan-prod-user-role-import
User identifier
Specifies the field used to match users in Atlan when applying role updates.
Available options:
-
Username: When this option is selected, the workflow matches users based on their Atlan username. The CSV file must include a
Usernamecolumn, and the app fails immediately if any row contains a username that doesn't exist in Atlan. -
Email: When this option is selected, the workflow matches users based on their registered email address. The CSV file must include an
Email addresscolumn, and the app fails immediately if any row contains an email address that doesn't exist in Atlan.
At least one of Username or Email address must be present in the CSV file. If both are included, only the column corresponding to the selected identifier is used.
Import file from
Defines the method for providing the input CSV file.
Direct file upload
Upload a CSV file directly into Atlan from your local system. This method is recommended for ad-hoc or one-time imports.
-
File size is generally limited to ~10 MB. For larger files, use the Object storage option.
-
The uploaded file must follow the required format described in the Assets file section.
-
At a minimum, the CSV must contain either a Username or Email address column, along with a mandatory License type column that specifies the role to assign.
Object storage
Import the CSV file from a supported cloud object store. This option is recommended for recurring imports or large files that exceed the upload size limit. Supported providers are Amazon S3, Google Cloud Storage (GCS), and Azure Data Lake Storage (ADLS).
If the Atlan tenant is already hosted on one of these providers, all fields can be left empty to reuse the tenant’s backing store.
- Amazon S3
- Google Cloud Storage
- Azure Data Lake Storage
Amazon S3 enables scalable object storage and is often used for recurring imports. Use this option when the CSV file with user role mappings is stored in an S3 bucket.
AWS access key
The access key ID associated with your AWS account.
- Required if using the access/secret key authentication method.
- Not required if the configuration is tenant-backed, cross-account, or role-based.
Example:
AKIAIOSFODNN7EXAMPLE
AWS secret key
The secret key that pairs with your access key. This is generated when you create an access key in IAM. It must be downloaded at creation time or rotated if lost.
- Required if using the access/secret key authentication method.
- Not required if the configuration is tenant-backed, cross-account, or role-based.
Example:
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS Role ARN
The Amazon Resource Name (ARN) of an IAM role with permissions to access the target S3 bucket. This is the recommended approach for cross-account or role-based authentication.
- Required if using a role-based configuration.
- Not required if using access/secret keys or if the tenant is backed by S3.
Example:
arn:aws:iam::123456789012:role/atlan-import-role
Region
The AWS region where the S3 bucket resides (for example, us-east-1).
- Required if using the access/secret key method.
- Optional if the region is inferred from the tenant or IAM role.
Example:
ap-southeast-1
Bucket
The name of the S3 bucket where the CSV file for user role import is stored.
- Required in all configurations—whether the setup is tenant-backed, cross-account, access/secret key, or role-based.
- Make sure that the bucket has the correct read permissions for the chosen authentication method.
Example:
atlan-user-role-imports
Folder path
The folder path inside the bucket where the CSV file is located. Leave empty to read files directly from the bucket root. Don't include the bucket name in this path.
- Optional in all configurations.
- Use when you want to organize CSV imports into subfolders within the bucket.
Example:
imports/roles
Assets file
The name of the CSV file to be imported (without extension).
- Required in all configurations.
- The workflow automatically appends
.csvto the file name during import.
Example:
user-role-mapping
Google Cloud Storage (GCS) provides durable object storage for analytics and governance. Use this option when the CSV file with user role mappings is stored in a GCS bucket.
Project ID
The ID of the Google Cloud project that owns the target bucket.
- Required in all configurations.
Example:
my-gcp-project-123456
Service account JSON
A JSON key file containing service account credentials with access to the bucket.
- Required if using a customer-managed bucket.
- Not required if the tenant is backed by GCS.
Example:
{
"type": "service_account",
"project_id": "my-gcp-project-123456",
"client_email": "[email protected]"
}
Bucket
The name of the GCS bucket where the CSV file is stored.
- Required in all configurations—whether tenant-backed or customer-managed.
- Make sure the bucket has appropriate read permissions for the service account.
Example:
atlan-user-role-imports
Folder path
The folder path inside the bucket where the CSV file is located. Leave empty to read files directly from the bucket root.
- Optional in all configurations.
- Use this to organize import files into dedicated subfolders.
Example:
imports/roles
Assets file
The name of the CSV file to be imported (without extension).
- Required in all configurations.
- The workflow automatically appends
.csvto the file name during import.
Example:
user-role-mapping
Azure Data Lake Storage (ADLS) provides secure and scalable storage for enterprise workloads. Use this option when the CSV file with user role mappings is stored in an ADLS container.
Azure client ID
The application (client) ID of the app registered in Azure AD.
- Required if using a customer-managed ADLS container.
- Not required if the tenant is backed by ADLS.
Example:
12345678-90ab-cdef-1234-567890abcdef
Azure client secret
The client secret value for the registered app. This must be created under the app’s Certificates & secrets section in Azure.
- Required if using a customer-managed ADLS container.
- Not required if the tenant is backed by ADLS.
Example:
abc123d45pqr678stu901vwx234
Azure tenant ID
The tenant ID of the Azure Active Directory instance.
- Required if using a customer-managed ADLS container.
- Not required if the tenant is backed by ADLS.
Example:
87654321-4321-4321-4321-210987654321
Storage account name
The name of the Azure storage account where the container resides.
- Required in all configurations, whether tenant-backed or customer-managed.
Example:
atlanstorageaccount
Container
The ADLS container where the CSV file is stored.
- Required in all configurations—whether tenant-backed or customer-managed.
- Make sure the container has appropriate permissions for the authentication method.
Example:
user-role-imports
Folder path
The folder path inside the container where the CSV file is located. Leave empty to read files directly from the container root.
- Optional in all configurations.
- Use this to separate CSV imports into subfolders for better organization.
Example:
imports/roles
Assets file
The name of the CSV file to be imported (without extension).
- Required in all configurations.
- The workflow automatically appends
.csvto the file name during import.
Example:
user-role-mapping
Assets file
Specifies the CSV file that contains user role assignments to be imported into Atlan. The file defines which users must be assigned which roles, based on either their Username or Email address.
This file acts as the input for the workflow and must follow a consistent structure to make sure that user roles are updated correctly. Incorrect or missing headers may cause the import to fail.
- Case-insensitive role values: Accepted values for license type are
Admin,Member,Guestor their prefixed forms ($admin,$member,$guest). Values are matched without case sensitivity. - Required headers: Either
UsernameorEmail addressmust be included, along with the mandatoryLicense typecolumn. If any of these required headers are missing, the import fails. - Ignored headers: Any additional headers beyond the required ones are ignored.
- Invalid data: The app fails immediately if any row contains unrecognized license types, missing identifiers, or non-matching usernames/email addresses.
- No partial processing: The app doesn't process any rows if invalid data is detected in any row.
The file must follow this format:
| Column | Requirement | Notes |
|---|---|---|
| Username | Mandatory if Username is selected as User identifier. | Either Username or Email address must be provided. |
| Email address | Mandatory if Email is selected as User identifier. | Either Email address or Username must be provided. |
| License type | Mandatory. Accepted values (case-insensitive): Guest, $guest, Member, $member, Admin, $admin. | Any additional headers in the file are ignored. |
Example:
Email address,License type
[email protected],Admin
[email protected],Member
[email protected],Guest