CSV Upload

Import identity and authorization data from CSV files into Veza

Overview

Use CSV Upload to integrate identity and authorization metadata from sources that don't have built-in Veza connectors, but can export or provide data in tabular format.

You can create a CSV integration in Veza to:

  • Import user and authorization data from legacy or custom applications

  • Integrate with SaaS applications that support CSV exports

  • Model employee access to homegrown or specialized systems

  • Upload employee metadata from your HRIS as a source of identity for Lifecycle Management workflows

The integration uses the Open Authorization API (OAA) to map CSV data to supported OAA templates:

  • Application - Models Users, Groups, Roles, and Resources across applications for a wide variety of authorization use cases. An introduction to the Application Template can be found here.

  • Human Resource Information Systems (HRIS) - Models employee information from HR sources for use with Lifecycle Management (LCM).

Application Template - Use Custom Applications to model business applications and access permissions:

  • Models Users, Groups, Roles, and Resources across applications

  • For example, you can upload user permissions from a homegrown CRM system, data store, or any other application users can access.

HRIS Template - Use for employee data from HR systems

  • Models employee information and organizational structure

  • For example, you can uploading employee data for manager-based Access Reviews and automated provisioning with Lifecycle Management.

Which template should I choose? If your CSV contains information about who can access what resources, choose Application. If it contains employee information like departments and managers, choose HRIS.

When to Use CSV Integration

CSV integration is ideal for systems that export tabular data but lack dedicated Veza connectors:

  • Legacy applications with user permission exports

  • Custom business applications built in-house

  • HR systems for employee lifecycle management

  • Specialized industry tools without native APIs

CSV import enables modeling identity and permissions metadata for any application not natively supported by Veza, with flexible column mapping, custom properties, and support for multiple data formats.

Adding a CSV Integration

Prerequisites

To create an integration from CSV, you will need:

  • A CSV file containing relevant data with column headers

  • Sufficient permissions in Veza (Administrator or CSV Manager role)

  • Understanding of the data model for the source application

  • A plan for mapping between CSV columns and Veza attributes

Format Requirements

CSV (Comma-Separated Values) is a widely used file format that stores tabular data in plain text. Each row represents a record or a relationship between entities (e.g., User to Role), and columns represent attributes.

When importing from CSV:

  1. The first row must contain column headers

  2. Each column can be mapped to a specific Veza attribute or custom attribute

  3. Columns can be ignored after uploading the file

  4. At minimum, you must map columns for unique identifiers (such as user ID or Name) for each entity type you plan to import (e.g., Users, Groups, Roles, or Employees).

Create a CSV Integration

To create a new CSV integration:

  1. Go to Integrations > Add Integration

  2. Choose Upload CSV from the options

  3. Upload a logo for the provider (optional) - This will appear throughout the Veza UI, including in Graph search, to identify the integration and entity types.

  4. Enter an integration name

    • Use a title that uniquely identifies this integration source

    • Avoid generic terms like "application" or "CSV"

    • If you have multiple environments, consider including that in the name

  5. Select a data source template (currently supports Application and HR Systems)

  6. Enter template-specific information (fields will vary based on the selected template):

    For Application Template:

    • Name: A unique identifying name for this specific application instance (e.g., "Marketing CRM - Prod", "HR Portal - Dev").

    • Type: The general category or system type (e.g., "CRM", "DevOps Tool"). In Veza, the type appears as a prefix on entity names, e.g., CRM User, DevOps Tool Role.

    For HR System Template:

    • Name: A unique identifying name for the HR system (e.g., "Workday - Production", "HR Portal - Dev")

    • Type: The type of HR system (e.g., "HRIS", "ATS", "Benefits")

    • URL: The URL of the HR system

    Note: Naming is critical for easy search in Veza. For Applications, the Type enables searching for all entities of that category, while the Name differentiates between multiple instances of the same system type.

  7. Upload the CSV file - Veza will read the column headers and show them for mapping

  8. Map your columns to Veza attributes (see Column Mapping section)

  9. Click Create Integration to trigger extraction and parsing

CSV Column Mapping

The CSV integration allows you to map columns in your file to specific Veza attributes. After uploading the CSV, Veza automatically detects all columns and presents them for mapping.

For each column, you can:

  1. Select to include or exclude the column

  2. Select the target entity type for mapping (available entities depend on the selected template)

  3. Select the specific entity attribute to map to (only attributes applicable to the selected entity type will be shown)

  4. For custom properties, specify a name and data type

Example: Mapping CSV columns to Application template entities and attributes

CSV Mapping Interface with column selection and attribute mapping options

For more examples and detailed mapping patterns, see CSV Import Examples.

Supported Entity Types and Attributes

For all entities, an ID or Name is required. If ID is not provided, Name is automatically used as the unique identifier for the entity. Both are also supported.

The available entity types and attributes depend on the template you select. Each template supports different entity types.

Application Template Entities

User Attributes

Attribute
Description

ID

Unique identifier for the user

Name

Display name for the user

Is Active

Boolean indicating if the user is active

Created At

Timestamp when the user was created

Last Login At

Timestamp of the user's last login

Deactivated At

Timestamp when the user was deactivated

Password Last Changed At

Timestamp of the last password change

Email

User's email address

Custom Properties

Map any column to a custom user property (type varies)

Group Attributes

Attribute
Description

ID

Unique identifier for the group

Name

Name of the group (supports list format)

Created At

Timestamp when the group was created

Custom Properties

Map any column to a custom group property (type varies)

Role Attributes

Attribute
Description

ID

Unique identifier for the role

Name

Name of the role (supports list format)

Permissions

Permissions assigned to the role (supports list format)

Custom Properties

Map any column to a custom role property (type varies)

HR System Template Entities

Employee Attributes

Attribute
Description

ID

Unique identifier for the employee

Name

Employee name (typically full name)

Employee Number

Alternative employee identifier

Company

Employee's company

First Name

Employee's first name

Last Name

Employee's last name

Preferred Name

Employee's preferred name

Display Full Name

Complete display name

Canonical Name

Standardized name format

Username

Employee's username

Email

Primary email address

IDP ID

Identity Provider ID

Personal Email

Personal email address

Home Location

Employee's home location

Work Location

Employee's work location

Cost Center

Cost center assignment

Department

Employee's department

Managers

Employee's manager(s) (supports list format)

Groups

Group memberships (supports list format)

Employment Status

Current employment status

Is Active

Boolean indicating active employment

Start Date

Employment start date

Termination Date

Employment end date

Job Title

Employee's job title

Employment Types

Types of employment (supports list format)

Primary Time Zone

Employee's primary time zone

Custom Properties

Map any column to a custom employee property (type varies)

Data Type Handling

Boolean Values

The following values are treated as TRUE (case-insensitive):

  • true, t

  • yes, y

  • 1

  • active

  • enabled

Any other value is treated as FALSE.

Timestamp Formats

Veza supports multiple timestamp formats:

  • 2023-04-12T15:34:56.123456789Z (RFC3339 with nanoseconds)

  • 2006-01-02T15:04:05Z07:00 (RFC3339)

  • 20060102150405 (Active Directory format)

  • 2006-01-30 15:04:05Z07:00

  • 2006-01-30 15:04:05

  • 2006-01-30

  • 2006-01-30T

  • 2006-01-30T15:04:05

  • 2006-01-30T15:04:05Z

  • 1/2/2006 (MM/DD/YYYY format)

Timestamps are considered unset when the value is never, null, none, false, 0 or empty. Invalid timestamps will result in a processing error.

String Lists

For attributes that support lists (like Role Name List, and Group Name List), values should be comma-separated within the cell and the list enclosude by quotes ".

Updating a CSV Integration

Incremental updates are not supported; you must submit the complete data set for each update.

Push new data for an existing integration

  1. Find the CSV integration on the Veza Integrations page

  2. Click on the integration name to view details

  3. Under Data Sources, click Upload CSV

  4. Select your updated CSV file and click Upload

Update mappings for an integration

  1. Find the CSV integration on the Veza Integrations page

  2. Click on the integration name to view details

  3. Click Edit

  4. In the integration configuration, click Edit above the table of current mappings

  5. Modify your column mappings as needed

  6. Click Save Configuration to apply the changes

CSV Manager Role

Veza provides a limited privilege "CSV Manager" role for users that need permission to manage a CSV integration, but should not have access to other functionality in Veza. Users with this role can:

  • Create new CSV integrations

  • Upload new CSV data

  • Edit existing CSV integrations, including delete

This role can be combined with Teams to further limit a user's scope. When a user with the CSV manager role is added to a non-root team, they can only manage CSV integrations assigned to their team.

Processing Rules

  • Multiple Rows per Entity: If the same entity (user, group, or role) appears in multiple rows, Veza processes them as follows:

    • Properties are set based on the first row where the entity ID (or Name if it is being used as the unique ID) appears

    • For subsequent rows with the same identifier, only relationship assignments are processed (for example user to group, or user to role)

    • Role permissions are the only properties that are additive across all rows

  • Ignored Columns: Columns that are not mapped (unchecked) are ignored during processing

  • Additional Columns: CSV files can contain more columns than are mapped - extra columns are ignored

  • Entity Identifiers: Every entity type (user, group, role) requires an ID or Name (or both). If only one is provided, the same value is used for both fields and must be unique.

  • Identity Mapping: When using the Application template, you can choose the column(s) used to connect external identities.

Last updated

Was this helpful?