Vault Loader: Create & Update Legacy Users


Vault Loader allows you to perform bulk actions on users in your vault. 

You can also use Vault Loader to create and update users with the User and Person objects. To learn about creating and updating User object records, see Vault Loader: Create, Update, & Delete Object Records. To learn about managing users with the User object, see Managing the User and Person Objects.

How to Load Users

Before loading users, prepare the CSV input file containing user field names and values. 

To create, update, or upsert users:

  1. In the left panel of the Loader tab, click Load.
  2. For the CSV File, click Choose and select the CSV input file.
  3. In the Object Type drop-down, select Users.
  4. In the Action Type drop-down, select Create, Update, or Upsert.
  5. Click Start Load.

Before processing the request, Vault validates the selected CSV file. If the file is valid, Vault begins processing the request. When finished, you’ll receive a Vault notification and email with request details and CSV output files. 

Preparing CSV Input Files

The fields you include in your CSV will depend on your action: Create, Update, or Upsert. If you aren’t sure where to start, you can use the Extract option in Vault Loader to see what the CSV should look like.

Create Users

When creating new users, the following fields are required in all vaults:

  • user_name__v
  • user_first_name__v
  • user_last_name__v
  • user_email__v
  • user_timezone__v
  • user_locale__v
  • user_language__v
  • security_policy_id__v
  • vault_membership (sometimes required; see details)
  • app_licensing (sometimes required; see details)

See example input.

Update Users

When updating users, you must specify the user id field. Vault uses IDs to locate the existing users that you want to update. See example input.

Upsert Users

The Upsert action is a combination of create and update. When using this action, you create one input CSV with all the fields required to create new users. For existing users, you must specify the user id, but you can leave other fields blank if the values should not change. See example input.

File Validation

Before beginning the Vault Loader job, Vault checks that the selected CSV file meets certain criteria:

  • Includes at least one record
  • Includes a valid header row (Invalid header rows are those with no columns that match to metadata for the records you’re loading or those with extra empty columns.)
  • Total number of records in the vault, plus new records created by the CSV, would not exceed your vault’s limits

If your file is not valid, Vault displays a notification, stops the process, and allows you to select a new CSV file. If some of the header columns do not match metadata for your vault, the notification will allow you to stop the load or ignore those columns and proceed.

Vault Membership Assignments

User accounts exist at the domain level. For multi-vault domains, this means that user details for a user (Thomas Chung, for example) are shared across all vaults he can access.

If you are using the Update action to assign existing users to an additional vault, you need to include vault_membership in your CSV. You must be a Vault Owner to use this functionality for one vault on a domain, and a Domain Admin to use this functionality for multiple vaults on the same domain.

The vault_membership field accepts multiple values in a specific format:

{Vault ID}:{User Status/active__v}:{Security Profile}:{License Type}

The only required value is vault ID. If you leave the other values blank, Vault creates the user with default settings. To understand default settings, consider these two examples. Each produces the same result:

vault_membership Comment
3003:true:edc_investigator__v:full__v Assigns to vault 3003
3003 Same as above

The next two examples also produce the same result:

vault_membership Comment
3003:true:system_admin__v:full__v Assigned to vault 3003 with system_admin__v security profile
3003::system_admin__v Same as above

When assigning existing users to new vaults, you do not need to include membership information for vaults to which they already belong.

Note that new Vault users only receive welcome emails if they are assigned to a vault via the vault_membership field. For example, a new domain user who does not have any assigned vaults will not receive a welcome email.

Assigning Users to Multiple Vaults

The next two examples add users to multiple vaults in a domain.

vault_membership Comment
3003,4004,5005 Assigns to vaults 3003, 4004, and 5005 with default settings
3003:false:read_only_user__v:read_only__v,
4004,5005
Assigns to vault 3003 as Inactive (active:false), with Read Only User security profile and Read Only license type</p>

Assigns to vaults 4004 and 5005 with default settings

Suppressing Welcome Emails

When creating new users via Vault Loader, you can prevent Vault from sending welcome emails to a user by setting the user_needs_to_change_password__v setting to false. This does not work for users with SSO security profiles, but you can work around this limitation by creating the users with a basic security profile and updating them to the SSO security profile with an update action through Vault Loader.


Last Updated: