Add multiple applications - Bulk upload

You can upload multiple applications automatically into the Vault. Using the Bulk Upload feature, you upload a Comma Separated Values (CSV) file containing all the required details about applications into the Vault through the PVWA.

Bulk Upload overview

Based on a CSV input file, Bulk Upload creates the following environment in the Vault:

Creates or updates application IDs (users) according to the specified information.

Assigns authorizations to application IDs and Credential Providers in the relevant Safes.

Assigns application IDs and the Credential Providers to groups. In this case, authorizations to Safes will be assigned to the groups and not directly to the application IDs or Credential Providers.

The following permissions are required to add multiple applications using the Bulk Upload:

Location

Description

Permissions

Vault

To create application IDs (users) and specify access authorizations

Manage users

Safes

In the Safe(s) where the accounts are stored and the Credential Provider and applications have access:

  • List accounts

  • Retrieve accounts

  • View Safe Members

  • Manage Safe Members

CSV file

Application parameters that will be uploaded to the Vault are stored in a text file as Comma Separated Values (CSV). The first line in the file defines the names of the application properties. Every other line represents a single application and its property values, according to the properties specified in the first line.

By default, the authentication method for all the applications that are uploaded is based on the new authentication methods, with no credential files. Applications that already exist in the Vault and use credential files will be reconfigured for the new method if they are listed in the CSV file. None of their other configurations or restrictions will be changed, unless they are defined in the CSV file.

The application properties in the CSV file are listed in the table below. Any of the following values can be specified for each application property:

Property value Description

Value

The application property in the Vault will be defined according to the value that is specified in the CSV file, including authentication restrictions. For example, if the CSV file specifies only one application IP address, but the application restrictions in the Vault define IP addresses, after the CSV file is uploaded, the existing values will be deleted and only the new value will be defined.

Empty

New properties will not be defined or they will be assigned the default value. Existing application property values will not be changed.

Clear

New application properties will be left empty. The value of existing application property values will be cleared and the property will be left empty.

 

To delete current path restrictions, write ‘CLEAR’ in any of the path restriction columns. Likewise, to specify a new path restriction, specify the new value in any of the path restriction columns.

The following application properties can be specified for every application that will be uploaded to the Vault:

Parameter Description

Application ID

( mandatory)

The unique name (ID) of the application that will be created or updated. This name can contain up to a maximum number of 128 characters.

Acceptable value: String

Application Description

A description of the application.

Acceptable value: String

Business Owner First Name

The first name of the application’s business owner.

Acceptable value: String

Business Owner Last Name

The last name of the application’s business owner.

Acceptable value: String

Business Owner Email

The email address of the application’s business owner.

Acceptable value: String

Business Owner Phone

The phone number of the application’s business owner.

Acceptable value: String

IP Restrictions

The IP addresses or IP subnets where the application can run, separated by semicolons.

IP subnets must be in CIDR format, IP/number, where:

  • IP is a valid IP address in IPv4 or IPv6 format
  • number is a value between 0-32

Acceptable value: String

OS User Restrictions

The Windows domain OS user(s) that are authorized to run the application.
Separate multiple Windows domain OS users (including domains) with semicolons.

Acceptable value: String

Path Restrictions (Non Recursive)

The paths where applications can run.

Separate multiple paths with semicolons.

These paths are updated with “Allow internal scripts to request credentials on behalf of this application ID”= No and Path is Folder=No.

Acceptable value: String

We recommend always combining authentications with OS User or Allowed Machines authentication, or both.

Path Restrictions (Recursive)

The paths where applications can run.

Separate multiple paths with semicolons.

These paths are updated with “Allow internal scripts to request credentials on behalf of this application ID”= Yes and Path is Folder=No.

Acceptable value: String

We recommend always combining authentications with OS User or Allowed Machines authentication, or both.

Folder Restrictions (Non Recursive)

The paths where applications can run.
Separate multiple paths with semicolons.

These paths are updated with “Allow internal scripts to request credentials on behalf of this application ID”= No and Path is Folder=Yes.

Acceptable value: String

We recommend always combining authentications with OS User or Allowed Machines authentication, or both.

Folder Restrictions (Recursive)

The paths where applications can run.

Separate multiple paths with semicolons.

These paths are updated with “Allow internal scripts to request credentials on behalf of this application ID”= Yes and Path is Folder=Yes.

Acceptable value: String

We recommend always combining authentications with OS User or Allowed Machines authentication, or both.

Hash Restrictions

The unique hash values of the application. Specify multiple hash values with semicolons. For more information, refer to Generate an application hash value.

To add more information in a comment after each hash value specified for an application, use ‘#’ after the hash value, followed by the comment. For example, You can add additional information in a comment after each hash value specified for an application by specifying ‘#’ after the hash value, followed by the comment. For example,

 

1A6F2A14E4C30729AA1E392261DA47568465ED47FFD8ED4E03082CE13ACB44819BF34D9D902668E4782C450D22EFC8F573F329657B1EAF20E5228BB49D613827 # app2

The comment must not include a colon or a semicolon.

Acceptable value: String

We recommend always combining authentications with OS User or Allowed Machines authentication, or both.

Location

( mandatory)

The location in the Vault hierarchy where the application will be created. The user uploading the CSV file must be on the same level or higher.

Acceptable Values: Vault location

Disabled

Whether or not the application user will be disabled.

Acceptable values: Yes /No

Default: No

Logon From

The time from when the Credential Providers/Central Credential Providers can retrieve the password for this application.

Acceptable values: Between 00:00 and 23:59. For example, 07:00.

Logon To

The time until when the Central Credential Provider can retrieve the password for this application.

Acceptable values Between 00:00 and 23:59. For example, 22:00.

Expiration Date

The date that the application user will expire.

Acceptable values: MM-DD-YYYY, MM/DD/YYYY , YYYY-MM-DD, or YYYY/MM/DD. It must be today’s date or a future date.

Safes

The Safes that the application and Credential Provider users will be given authorization to access.
Separate multiple Safe names with semicolons.

Acceptable values: Safe name

Application Groups

The group to which the application user will be added. Specify an existing group. When a group is specified, the group will be assigned as an owner of the specified Safe(s) and not the application user.
Separate multiple groups with semicolons.

Acceptable values: Group name

Provider Groups

The group to which the Credential Provider user will be added. Specify an existing group. When a Provider Group is specified, the group will be assigned as an owner of the specified Safe(s) and not the Credential Provider user.
Separate multiple groups with semicolons.

Acceptable values: Group name

Providers

The Credential Providers that will be authorized to retrieve passwords for this application.  Each Credential Provider will be given access authorization for the same Safes and accounts as the application.
Specify Credential Providers that have already been installed and defined in the Vault.
Separate multiple Credential Providers with semicolons.

Acceptable values:  A Credential Provider that has already been installed and defined in the Vault.

Allow Extended Authentication

When defined as Yes, the Credential Providers can enable you to specify an unlimited number of machines and Windows domain OS users for a single application.

Acceptable values: Yes /No

Default: No

 

Groups, Safes, and Credential Provider parameters can be added in the CSV file only. Then, once the applications have been defined in the Vault, their properties can only be updated in the PVWA Application Details page.

Application CSV file

You can create a file in Excel and save it in CSV format so that it can be uploaded to the Vault. Each column in the Excel file represents a different application property.

  The CSV file contains sensitive data; we recommend that you delete it immediately after use.