Skip to main content

User Role Import
App

You can automatically import user roles into Atlan from a CSV file. This app streamlines user management by allowing administrators to bulk-assign roles such as Admin, Member, or Guest, reducing manual effort and ensuring consistent access control.

The User Role Import app enables you to keep access rights aligned with organizational requirements, especially during onboarding or bulk updates. It reads a provided CSV file and applies the roles defined for each user.

Configuration

This section defines the fields required for workflow setup.

Workflow name

Specifies a unique and descriptive name to identify the workflow configuration in the Atlan interface. This name appears in the workflow list and helps distinguish it from other governance workflows.

Example:

atlan-prod-user-role-import

User identifier

Specifies the field used to match users in Atlan when applying role updates.

Available options:

  • Username: When this option is selected, the workflow matches users based on their Atlan username. The CSV file must include a Username column, and the app fails immediately if any row contains a username that doesn't exist in Atlan.

  • Email: When this option is selected, the workflow matches users based on their registered email address. The CSV file must include an Email address column, and the app fails immediately if any row contains an email address that doesn't exist in Atlan.

At least one of Username or Email address must be present in the CSV file. If both are included, only the column corresponding to the selected identifier is used.

Import file from

Defines the method for providing the input CSV file.

Direct file upload

Upload a CSV file directly into Atlan from your local system. This method is recommended for ad-hoc or one-time imports.

  • File size is generally limited to ~10 MB. For larger files, use the Object storage option.

  • The uploaded file must follow the required format described in the Assets file section.

  • At a minimum, the CSV must contain either a Username or Email address column, along with a mandatory License type column that specifies the role to assign.

Object storage

Import the CSV file from a supported cloud object store. This option is recommended for recurring imports or large files that exceed the upload size limit. Supported providers are Amazon S3, Google Cloud Storage (GCS), and Azure Data Lake Storage (ADLS).

If the Atlan tenant is already hosted on one of these providers, all fields can be left empty to reuse the tenant’s backing store.

Amazon S3 enables scalable object storage and is often used for recurring imports. Use this option when the CSV file with user role mappings is stored in an S3 bucket.

AWS access key

The access key ID associated with your AWS account.

  • Required if using the access/secret key authentication method.
  • Not required if the configuration is tenant-backed, cross-account, or role-based.

Example:

AKIAIOSFODNN7EXAMPLE

AWS secret key

The secret key that pairs with your access key. This is generated when you create an access key in IAM. It must be downloaded at creation time or rotated if lost.

  • Required if using the access/secret key authentication method.
  • Not required if the configuration is tenant-backed, cross-account, or role-based.

Example:

wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

AWS Role ARN

The Amazon Resource Name (ARN) of an IAM role with permissions to access the target S3 bucket. This is the recommended approach for cross-account or role-based authentication.

  • Required if using a role-based configuration.
  • Not required if using access/secret keys or if the tenant is backed by S3.

Example:

arn:aws:iam::123456789012:role/atlan-import-role

Region

The AWS region where the S3 bucket resides (for example, us-east-1).

  • Required if using the access/secret key method.
  • Optional if the region is inferred from the tenant or IAM role.

Example:

ap-southeast-1

Bucket

The name of the S3 bucket where the CSV file for user role import is stored.

  • Required in all configurations—whether the setup is tenant-backed, cross-account, access/secret key, or role-based.
  • Make sure that the bucket has the correct read permissions for the chosen authentication method.

Example:

atlan-user-role-imports

Folder path

The folder path inside the bucket where the CSV file is located. Leave empty to read files directly from the bucket root. Don't include the bucket name in this path.

  • Optional in all configurations.
  • Use when you want to organize CSV imports into subfolders within the bucket.

Example:

imports/roles

Assets file

The name of the CSV file to be imported (without extension).

  • Required in all configurations.
  • The workflow automatically appends .csv to the file name during import.

Example:

user-role-mapping

Assets file

Specifies the CSV file that contains user role assignments to be imported into Atlan. The file defines which users must be assigned which roles, based on either their Username or Email address.

This file acts as the input for the workflow and must follow a consistent structure to make sure that user roles are updated correctly. Incorrect or missing headers may cause the import to fail.

  • Case-insensitive role values: Accepted values for license type are Admin, Member, Guest or their prefixed forms ($admin, $member, $guest). Values are matched without case sensitivity.
  • Required headers: Either Username or Email address must be included, along with the mandatory License type column. If any of these required headers are missing, the import fails.
  • Ignored headers: Any additional headers beyond the required ones are ignored.
  • Invalid data: The app fails immediately if any row contains unrecognized license types, missing identifiers, or non-matching usernames/email addresses.
  • No partial processing: The app doesn't process any rows if invalid data is detected in any row.

The file must follow this format:

ColumnRequirementNotes
UsernameMandatory if Username is selected as User identifier.Either Username or Email address must be provided.
Email addressMandatory if Email is selected as User identifier.Either Email address or Username must be provided.
License typeMandatory. Accepted values (case-insensitive): Guest, $guest, Member, $member, Admin, $admin.Any additional headers in the file are ignored.

Example:

Email address,License type
[email protected],Admin
[email protected],Member
[email protected],Guest