canopy-ui

When to use the CSV wizard

Reach for the wizard when you have a list (exported from an HR system, a spreadsheet of new hires, a previous tenant's user dump) and you want to provision the whole batch in one pass with a human-reviewable preview before anything is written.

The three modes

Step 1 of the wizard locks the mode for the rest of the run. Pick the mode that matches how the identities should land in your Account — and the dashboard surface you opened the wizard from determines which modes are available. Tenant > Identities opens the wizard on the Account-tier mode; Access Control > Identities opens it on the two Environment-scoped modes.

Bulk invite

Environment-scoped. Sends each row an email with a link to set their own password. The identity row, AppMembership, and any optional role + node assignment are created when the recipient clicks Accept. Best when the recipient should choose their credentials, typical for new hires and external collaborators.

Bulk create

Environment-scoped. Writes the identity rows directly. No email is sent. Optionally accepts a password column for a starting password the user can change after first login, plus an optional role_id + node_id pair per row to bundle an assignment. Best for migrations, pre-provisioning ahead of go-live, or federated/SSO identities where authentication won't be a Canopy password.

Account-tier bulk create

Account-tier. Writes directory-only Identity rows to the Account — no role, no node, no Environment context. Required columns: email, first_name, last_name. Optional columns: password, external_id, application_id (links the row to an Application as an AppMembership). Open this mode from Tenant > Identities → Import CSV. Best for federated/SSO directories you want to pre-stage before any Environment touches them.

Walking through the wizard

Open the wizard from the Identities page header → Import CSV. The dialog opens at step 1.

Six steps

Mode: pick one of the available modes. From Access Control > Identities → Import CSV, you'll see Bulk invite and Bulk create. From Tenant > Identities → Import CSV, you'll see Account-tier bulk create. Each card lists the mode's required and optional CSV columns and offers a Download sample CSV link with the full column set + comment-line documentation.

Upload: drop a CSV file or paste raw CSV text. The parser auto-detects delimiter (comma / semicolon / tab) and encoding, strips comment lines starting with #, and shows a summary of rows + columns + delimiter on success. Up to 10 MB and 10,000 rows per file.

Mapping: the wizard auto-maps CSV headers to Canopy fields using a built-in alias table (e.g. E-Mail → email, Surname → last_name). Each row carries a status badge: green for matched, grey for ignored. Override any row by picking from the dropdown, or leave columns the wizard didn't recognise on Ignore. Required-field-missing alerts appear at the top until every required field is mapped.

Preview: every parsed row is validated against the Environment's real role / node / OAuth-client lookups (fetched on wizard open) plus per-field checks (email format, UUID format, password length, send_email truthiness). The stats panel summarises valid / warning / error counts. Rows with errors are tinted, get an Issues column listing what's wrong, and are auto-deselected: the checkbox is disabled until the source CSV is fixed and re-uploaded.

Submit: selected rows get chunked into batches of 200 and posted to the portal identities/bulk-create endpoint (App-scoped) — or identity-invites/bulk-create (Environment-scoped) for invite mode — each with its own idempotency key. Live progress bar plus a Cancel button between batches. Retries on transient network errors (429, 500, 502, 503, 504) with exponential backoff.

Results: per-row outcome table: success rows show the new identity ID, error rows show the server's reason (e.g. email_conflict), skipped rows show why they were skipped (deselected at preview, or skipped after a mid-flight cancel). Two CSV downloads: failed rows only for fix-and-re-upload loops, and full results for your audit trail.

Common pitfalls

Optional columns with placeholder values fail validation. Bogus UUIDs in role_id / node_id or strings like your-oauth-client-id in client_id get caught at the preview step now (after the lookups load). Fix the source CSV: leave optional cells empty unless you have real Environment IDs to fill in.

Role and node must be paired. If a row has role_id, it must also have node_id (and vice versa). The validator flags rows that have one without the other as a row-level error.

Header aliases are flexible but not infinite. The wizard auto-maps common variants (E-Mail, Given Name, Surname) but anything outside the alias table lands on Ignore and the user has to manually map it from the dropdown. Required-field-missing alerts make this hard to overlook.

Files larger than 10 MB or 10,000 rows are rejected at upload. Split client-side (split the CSV into multiple files), or call POST /api/v1/identities/bulk-create directly from a backend script in chunks of 200.

First time setting up?

When you land on a fresh Environment — the dashboard seeds every Account with a Development and Production env at signup, both empty — the Overview page shows a banner that reads "You haven't invited any users or assigned them roles yet." Click Complete Invite & Assign Users Setup to open the Setup Guide on its Invite & Assign Users tab — an interactive slide-out panel that walks you through inviting identities and assigning them roles. Each step links directly to the right page and surfaces contextual help alongside, so you don't have to bounce between docs and the dashboard to figure out where to click next.

What the guide walks you through:

Invite identities

Assign roles to identities

Environment

API version

On this page

Dashboard CSV import