# CyberArk Import

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FVx3vcawaXEus29CaFi0G%2FImport-Keeper-Cyberark.jpg?alt=media&#x26;token=5feb06a1-909a-4200-bad0-80848f2b5841" alt=""><figcaption></figcaption></figure>

Keeper Commander will log on to CyberArk Privilege Cloud Web Portal or the self-hosted Password Vault Web Access (PVWA), retrieve accounts and their passwords, and automatically create corresponding Server records in Keeper.

```sh
keeper import --format=cyberark server.domain
```

If the server is a CyberArk Privilege Cloud Web Portal, i.e., it ends in ".cyberark.cloud," then it will prompt for the CyberArk Identity Tenant ID and CyberArk Service User credentials:

```
CyberArk Identity Tenant ID: abc12345
CyberArk service user name: myserviceuser
Cyberark service user password:
```

:information\_source: The Identity Tenant ID is the first part of the login URL, e.g., https\://*abc12345*.id.cyberark.cloud/...

If the server is any other hostname or IP address, then it will prompt for the authentication method, username, and password for PVWA:

```
CyberArk logon type (Cyberark, LDAP, RADIUS or Windows): LDAP
CyberArk username: myusername
CyberArk password: 
```

:information\_source: Use **LDAP** (not Windows) to log in with an **Active Directory** account

CyberArk Accounts based on Platforms in the *Windows* and *\*NIX* groups will be imported as Server records. Accounts based on the *Business Website p*latform, i.e., CyberArk Workforce Password Management Accounts, will import as Login records.

### Importing Accounts

The process will list the Accounts to be imported, including the ID, Name, and Safe. It will also show a progress meter with a timer and ETA. If password retrieval fails for an Account, a Retry, Skip, or Skip All dialog is presented. The process can retry the request, skip the Account, or skip all Accounts that trigger the same HTTP status.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FNHpxOei0QP7CkkJqpiuc%2FScreenshot%202025-05-07%20154348.png?alt=media&#x26;token=6df12176-7d8e-45f6-919a-75ebd48e5359" alt=""><figcaption><p>A dialog resulting from a 400 (Bad Request) HTTP response from the password API endpoint.</p></figcaption></figure>

#### Skipped Accounts

The skipped Accounts will be listed after processing is complete. The list includes the *ID*, *Name*, *Safe*, and the *Error* code and message.

### Using a search string to limit the imported Accounts

The process will import all Accounts by default; however, appending a question mark (?) followed by the search string will limit processing to Accounts that match the search.

```bash
keeper import --format=cyberark 10.11.12.13?WinDomain
```

### Using a custom query string

Alternatively, if the search string contains '=', the process will pass it to the CyberArk Get Accounts endpoint as a query string. E.g.,

```
keeper import --format=cyberark example.cyberark.cloud?limit=10&offset=20
```

passes the limit and offset parameters to the Accounts endpoint, causing it to page the accounts 10 at a time, starting at the 20th account.

### PowerShell Method

The [end-user guide](https://docs.keeper.io/user-guides/import-records-1/import-from-cyberark) includes a process to import data into Keeper from Cyberark using a PowerShell script. Note, however, that it accesses the Vault server directly, so it only works on self-hosted servers.