# Using a CSV Template ### Conversion Process There are two main ways to handle conversion from CSV to JSON: 1. Work exclusively from a CSV file Set all pamDirectory, pamMachine and pamUser objects in your CSV. 2. Work with a reduced CSV file, and with a JSON template to fill default attributes The CSV file would only include information unique to your pamMachines and pamUsers, but fill in all other data from a JSON template file. ### 1 – Working Exclusively from CSV #### Required Fields The minimum fields for the CSV are as follows: | hostname | username | user\_path | | ----------------- | ------------- | ----------------- | | DESKTOP-001.local | | | | | Administrator | DESKTOP-001.local | The `user_path` column defined under which resource the user should be placed. This example would create the following JSON object: ```json { "title": "DESKTOP-001.local", "type": "pamMachine", "host": "DESKTOP-001.local", "pam_settings": { "options": { "rotation": "off", "connections": "on", "tunneling": "off", "graphical_session_recording": "on" }, "connection": {} }, "users": [ { "title": "DESKTOP-001.local - Administrator", "login": "Administrator", "password": "", "type": "pamUser", "rotation_settings": {} } ] } ``` #### Named Fields Beyond the required fields above, named fields can be used:
folder_pathtitlehostnametypeusernamepassworduser_path
SF/ADADdc.compamDirectory
SF/UsersAdminadminpwd123AD
These are fields which either apply to all objects (e.g. `title`) or apply automatically to specific objects (e.g. `password` will only apply to pamUsers). Notes: * The `type` column will default to `pamMachine` for rows that include a `hostname`, and `pamUser` for rows that include a `username` and `user_path`. * The `folder_path` column only applies to the `pam project extend` command, and will be ignored for `pam project import`. See more on the subject [here](https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/importing-pam-resources/adding-pam-resources-to-an-existing-model). #### Advanced Fields Finally, fields that apply to a resource or user object can be set with the `rs` and `usr` prefixes respectively. Resource examples: `rs.port`, `rs.operating_system`, `rs.pam_settings.connection.protocol`, `rs.pam_settings.connection.administrative_credentials` User examples: `usr.distinguished_name`, `usr.rotation_settings.enabled` ### 2 - Using a CSV File with a JSON Template With this process, an additional JSON file would be used to define the project settings, your pamDirectory record, and the default fields for your pamMachine records. The CSV would then create all resources using the pamMachine template, and all users using the pamUser template from the JSON file. In our example, we will create a file name `import_template.json`, with the following content: {% code expandable="true" %} ```json { "project": "XXX:Example Project", "shared_folder_users": { "manage_users": true, "manage_records": true, "can_edit": true, "can_share": true }, "shared_folder_resources": { "manage_users": true, "manage_records": true, "can_edit": true, "can_share": true }, "pam_configuration": { "environment": "local", "connections": "on", "rotation": "on", "graphical_session_recording": "on" }, "pam_data": { "resources": [ { "_comment1": "Every key that starts with '_' is a comment and can be ignored or deleted", "_comment2": "Every value that starts with uppercase 'XXX:' must be replaced with actual value (removed if not required)", "_comment3": "Every value that starts with lowercase 'xxx:' is just a placeholder - can be replaced with anything but must be present", "type": "pamDirectory", "title": "XXX:Example AD", "directory_type": "XXX:active_directory|ldap", "host": "XXX:demo.local", "port": "XXX:636", "use_ssl": true, "domain_name": "XXX:demo.local", "pam_settings": { "options": { "rotation": "on", "connections": "on", "tunneling": "on", "graphical_session_recording": "on" }, "connection": { "protocol": "rdp", "port": "XXX:3389", "security": "XXX:any", "ignore_server_cert": true, "_comment_administrative_credentials": "Must match the unique title of one of the users below", "administrative_credentials": "XXX:DomainAdmin" } }, "users": [ { "type": "pamUser", "_comment_title": "Must match administrative_credentials above if this is the admin user", "title": "XXX:DomainAdmin", "_comment_login_password": "Must provide valid credentials but delete sensitive data/json after import", "login": "XXX:administrator@demo.local", "password": "XXX:P4ssw0rd_123", "rotation_settings": { "rotation": "general", "enabled": "on", "schedule": { "type": "on-demand" } } } ] }, { "_comment4": "While pamDirectory section above is static, the pamMachine section below is dynamicly generated", "_comment5": "One pamMachine with one pamUser will be generated per each line from the CSV file", "_comment6": "Only one pamMachine is needed and it will be used as a template for all CSV rows", "_comment7": "Please do NOT edit lines with xxx: in them - these are placeholders", "_comment8": "Any other line that don't contain xxx: can be altered/added/deleted in the template", "_comment9": "CSV Format: server_name,username,password", "type": "pamMachine", "_comment_title_and_host": "server value from CSV", "title": "xxx:server1", "host": "xxx:server1", "port": "5986", "ssl_verification": true, "operating_system": "Windows", "pam_settings": { "options": { "rotation": "on", "connections": "on", "tunneling": "on", "graphical_session_recording": "on" }, "connection": { "protocol": "rdp", "port": "3389", "security": "any", "ignore_server_cert": true, "_comment_administrative_credentials": "Format: pamDirectory#title.pamDirectory#administrative_credentials - exact match needed", "administrative_credentials": "XXX:Project1 AD.DomainAdmin" } }, "users": [ { "type": "pamUser", "_comment_title": "username value from CSV or server-username if --prefix-names option is used", "title": "xxx:admin", "_comment_login": "username value from CSV", "login": "xxx:Administrator", "_comment_password": "password value from CSV", "password": "xxx:P4ssw0rd_123", "rotation_settings": { "rotation": "general", "enabled": "on", "schedule": { "type": "on-demand" } } } ] } ] } } ``` {% endcode %} From the above template, replace every field labelled `XXX` with static information. Fields labelled `xxx` will be replaced by the script from the CSV data. Your CSV would then only exclude the pamDirectory resource and user, but include any other resource and user. Default fields from the template can be overridden by columns of the CSV. | hostname | username | user\_path | password | | ----------- | ------------ | ----------- | -------- | | DESKTOP-001 | | | | | | Domain Admin | Example AD | pwd123 | | | Local Admin | DESKTOP-001 | pwd123 | ### Run the Conversion Download the script [here](https://github.com/Keeper-Security/Commander/blob/master/examples/pam_import_generator_v2.py) and save it to a local directory. To simplify the command to run, you can have the following files in this directory: * `servers_to_import.csv` * `import_template.json` (only needed if you want to convert from a CSV and JSON) To run the conversion with the CSV file exclusively: ```bash python3 pam_import_generator.py ``` To run the conversion with both a CSV and JSON template files: ```bash python3 pam_import_generator.py --template-file import_template.json --prefix-names ``` The script supports the following arguments if you want to specify the file paths or output: `--input-file`: path to the CSV file. `--template-file`: path to the JSON template file. `--output-file`: path to the JSON output. By default, the script will create a file called `pam_import.json` in the same directory which contains all of the resources to be imported into Keeper.