Import accounts

This topic describes how to import accounts and notes from a third-party password manager or a comma-separated value (.csv) file. Imported account credentials and notes are securely stored in either the CyberArk Identity cloud or a self-hosted PAM Vault. After your accounts are imported, the apps associated with a URL show in your Applications window. Accounts that do not contain a URL show in your Secured items window.

Before you begin

Make sure you have done the following:

  • Export the required accounts to a .csv file from the supported password managers.

  • If exporting from LastPass, have your LastPass master password for direct import.

  • Create a .csv file to import from password managers that are not supported.

Supported third-party password manager apps

You can import accounts from the following password managers:

  • LastPass

  • KeePass

    When importing KeePass accounts through the User Portal, avoid importing values that end with a backslash (\). The import succeeds but the values are not mapped.

  • Dashlane

  • Google

Supported CSV file format

You can import accounts from any password manager that is able to export accounts to a .csv file. Apps that are not in the CyberArk Identity apps catalog can be imported if they contain at least the name attribute and any other supported attributes listed in the following table.

CSV file supported attributes

Attribute

Required

Description

name

Yes

Name of application or secured note.

url

No

Application URL.

username

No

Username for the application or secured note.

password

No

Password for the application or secured note.

notes

No

Additional information.

totp

No

The application's secret key for TOTP.

folders

No

Column is mapped to existing folders in CyberArk.

In the comma-separated value (.csv) file, if a value in a column contains an embedded comma, the characters after the comma are treated as a value in the next column. Take care to ensure that this does not occur unintentionally.

CSV file character restrictions

Before you import a .csv file, make sure the file observes the following restrictions:

  • Do not use the special characters & and # in combination, except in passwords. For example, this is unacceptable: use&#name.

  • Do not use any characters immediately following a < symbol, except in passwords. For example, this is unacceptable: <xxxx.

  • If a value in a column contains an embedded comma, the characters after the comma are treated as a value in the next column. Take care to ensure that this does not occur unintentionally.

  • If you are storing WPM credentials in the PAM - Self-Hosted Vault, follow the guidelines provided in Multi-language requirements.

Import credentials using a CSV file

Perform these steps for all password managers except for LastPass. For LastPass, see Import credentials directly from LastPass .

  1. Go to User Portal > Applications and select Add Web Apps. Select the Import tab in the App catalog window.

  2. Click Browse for a third-party password manager, or Browse next to Other to import a .csv file. You can also download a sample template file that indicates the fields to be included in the .csv file. Click Download template below Other to download the .csv file. This file contains the column names with an example for each field.

    You can also click here to download the .csv sample template file.

    An import file can contain up to 1000 applications and secured items.

  3. Select the .csv file.

    The import process happens in the background so you can continue doing other tasks, but you cannot start another import until the previous one has finished.

    If the import file contains any application URL that already exists in CyberArk Identity, you are prompted to skip or duplicate those applications.

  4. You can open the app by clicking the app tile in the User Portal or go directly to the application sign-in page. Credentials are autofilled.

If an imported application is not in the  CyberArk Identity Application Catalog, credentials are autofilled and the application icon in the User Portal l is updated the first time a user signs in. Subsequently, after the user has completed the first sign-in, credentials for non-catalog applications are autofilled each time the user signs in from the User Portal.

Import credentials directly from LastPass

You can import credentials directly from LastPass to CyberArk Identity without using a .csv file. Direct import is more secure than other methods because you don't have to save the exported data and credentials on your device. After a successful import, you can access your applications and Secured Items in the User Portal.

This is an early access feature. Early access features are made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features. Contact your account representative to enable this feature.

What is imported to CyberArk Identity

The following items are imported to CyberArk Identity from LastPass:

  • Notes without associated passwords

  • Passwords (application and non-web application). Accounts without a URL are imported as Secured Items (Secured Passwords or Secured Notes). Accounts with a URL are imported as applications.

  • Authentication key for web applications that require two-factor authentication.

  • Personal folders.

    Nested folders in LastPass are imported to CyberArk Identity as separate folders using the naming format <parent-folder/child-folder>. For example, a folder named FolderA is imported as FolderA. If FolderA contains FolderB, FolderB is imported separately with the name FolderA/FolderB.

  • Shared folders. You can import shared folders from LastPass if you are the owner. When certain conditions are met, shared folders are imported with the same sharing permissions that are set in LastPass. For details see the following table.

    Importing shared folder permissions from LastPass

    Sharing permission in LastPass

    Requirements for successful import

    Folder is shared with an individual in LastPass.

    Your CyberArk Identity email address must match the email address used in LastPass. If the email address does not match, or if the LastPass email address matches multiple email addresses in CyberArk Identity, the folder permission is not imported.

    Folder is shared with a group in LastPass.

    The group name used in LastPass must match a group name in CyberArk Identity. If the group name does not match, or if it matches multiple groups in CyberArk Identity, the folder permission is not imported.

    CyberArk Identity attempts to find groups in its Active Directory even if the group was not previously in the LastPass Active Directory.

CyberArk Identity does not import other data types stored with Lastpass such as credit cards, addresses, and passwords or notes that are not supported for import.

Perform the following steps to import the LastPass account to CyberArk Identity.

Step 1: Disable settings in your LastPass account

See your LastPass documentation for detailed instructions.

  1. Sign in to LastPass.

  2. Disable multifactor authentication (MFA) on your account.

  3. Disable the setting Permit super admins to access shared folders. This prevents super admins from importing your shared items.

  4. Disable email verification for unknown devices and locations.

    1. In the left navigation panel, go to Account Settings.

    2. Click Show Advanced Settings.

    3. Deselect the Disable Email Verification checkbox.

    4. Click Update.

Step 2: Import credentials from LastPass to CyberArk Identity

  1. From the User Portal, click Add > Application.

  2. Select the Import tab.

  3. Next to the LastPass icon, click Import > Direct.

  4. In the Username and Password fields, enter your LastPass credentials, then click Import.

    A message confirms that the import is in progress. The import continues even if you close the window.

If authentication fails from the LastPass account you imported, check the email associated with this account and verify your identity.

Secured Notes

Secured Notes are credentials or secrets intended for various uses other than application access. For example, Secured Notes can include application licenses, access tokens, encryption keys, and security questions. This information is provided in different columns of the exported .csv file, depending on the application. Workforce Password Management imports these notes as Secured Notes. The following table describes what notes each application exports and which column these notes appear in.

Apps that support importing Secured Notes

Apps

Information provided in exported .csv file

Column in exported .csv file (imported as Secured Notes)

LastPass

Application notes or password notes

extra column

KeePass

Application notes or Secured Item - passwords

comments column

Google Password Manager

Secured Notes

note column

Dashlane

Secured Notes

note column

Separate .csv files are provided for Secured Notes and application or password notes. Folders and TOTPs are also provided.

Others

 

You must add a notes column to the .csv file.

See Supported CSV file format for more information.

Import results for Secured Notes

Secured Notes are imported to Workforce Password Management (WPM) when the appropriate information is available in the .csv file. The following table describes import results based on different scenarios. WPM applies these rules to process each record (line) in the file. For example, if a .csv file record does not contain a URL, a username or password, and an Extra/Notes column exists, then the application and notes are imported.

Dashlane provides multiple types of .csv files. All .csv files are processed as described in the table.

Import results based on data supplied in the .csv file

URL

Username and password

Extra/notes

Result

No No

Column exists

Imported as Secured Item and note

Yes

No

Column doesn't exist

Imported as application without notes.

No Username or password available

Yes

Imported as a Secured Item - password

Yes No

Yes

Imported as an application account.

No

No

Yes

Imported as a Secured Item - password

Import Secured Notes

To import Secured Notes:
  1. From the User Portal, click Add Apps > Application.

  2. Go to the Import tab.

  3. Next to the application or Others icon, click Browse.

  4. Select the .csv file to import.

    A message confirms that the import is in progress. The import continues even if you close the window.

Download import log files

For every import, a log file is generated. Use this log file to troubleshoot, if necessary.

To download an import log file:
  1. Go to User Portal > Applications and select Add Web Apps.

  2. Click the Import tab in the App catalog window.

  3. Select a log from the Previous import logs drop-down.

    The last 10 import logs are available for download.

    If you need an earlier download, contact Support.

  4. Click Download.