Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book(0 page(s))
 Help

ImportTechnicalAccountsFromCSVExecutor

Long Running Task (LRT) that bulk-creates or updates Technical Accounts in CzechIdM by reading a semicolon-separated CSV file. Each CSV row represents one technical account. The task maps configurable column names to entity fields, supports dry-run mode, and never triggers unintended provisioning operations on existing accounts.

How It Works

  1. The task reads the attached CSV file line by line (first line = header).
  2. For each data row it looks up an existing Technical Account by the value in the identifier column (matched against externalId).
  3. Depending on whether the account exists and which behaviour flags are set, the account is created, updated, or skipped.
  4. Optional columns assign identity/role guarantors, link the account to a provisioning system, and associate it with a Technical Asset.
  5. All item-level results are written to the LRT task log.

CSV Format

Property Value
Encoding UTF-8 (BOM optional)
Column separator ; (configurable)
First row Header with column names
Multi-values | by default (configurable)
Date format yyyy-MM-dd (ISO 8601)
Only the identifier column is mandatory. All other columns are optional — the task only reads a column when the corresponding parameter is configured and the column exists in the CSV header. Configuring a column name that is absent from the CSV header causes the task to fail immediately with a descriptive error listing the missing columns.

Task Parameters

File & Format

Parameter Type Required Default Description
importFile Attachment Yes CSV file to import
separator String No ; Column separator character
encoding String No utf-8 File encoding

Column Mapping

Each parameter value is the exact name of a column in the CSV header (case-sensitive).

Parameter Description
identifiercolumn Required. Unique identifier for the account; stored as externalId. Used to look up existing accounts.
codecolumn Technical account code. Falls back to the identifier value when the column is not configured or the cell is blank.
descriptioncolumn Free-text description.
validfromcolumn Validity start date (yyyy-MM-dd). Blank cell leaves the field unchanged.
validtillcolumn Validity end date (yyyy-MM-dd). Blank cell leaves the field unchanged.
systemcolumn Name (codeable identifier) of the provisioning system to link.
mappingcolumn Provisioning mapping name used to resolve the system mapping. Must match an existing PROVISIONING mapping on the system.
directidentitycolumn Identity guarantors — pipe-separated list of usernames.
guaranteerolecolumn Role guarantors — pipe-separated list of role codes.
technicalassetcodecolumn External code of the Technical Asset to associate with the account.
multivalueseparator Character used to separate multiple values in multi-value columns. Default: |.

Behaviour Flags

Parameter Type Default Description
cancreate Boolean false Allow creating new Technical Accounts. When false, rows whose identifier is not found are silently skipped.
canoverwrite Boolean false Allow overwriting fields (code, description, validFrom, validTill) of existing accounts. When false, existing accounts are skipped.
canchangeta Boolean false Allow assigning or changing the Technical Asset (technicalassetcodecolumn) on an account. When false, the asset column is ignored even if configured.

Processing Logic per Row

read identifier from identifiercolumn
  └─ find existing TechnicalAccount by externalId = identifier
       ├─ NOT FOUND + cancreate = false  →  skip (counter++)
       ├─ NOT FOUND + cancreate = true   →  create new account
       ├─ FOUND + canoverwrite = false   →  skip, log CSV_IMPORT_ACCOUNT_SKIPPED
       └─ FOUND + canoverwrite = true    →  update account fields

(after save)
  ├─ assign identity guarantors  (directidentitycolumn)
  ├─ assign role guarantors      (guaranteerolecolumn)
  ├─ assign technical asset      (technicalassetcodecolumn, only when canchangeta = true)
  └─ link provisioning system    (systemcolumn + mappingcolumn)
       ├─ NEW account  →  find or create AccAccount, create TechnicalAccountAccount link
       └─ EXISTING account
            ├─ AccAccount found by uid  →  create link if missing
            └─ AccAccount NOT found     →  log warning, skip (no provisioning triggered)
Unknown references (identity username not found, role code not found, system not found, Technical Asset code not found) are logged as warnings and silently skipped — the account is still saved.

Multi-Value Columns

directidentitycolumn and guaranteerolecolumn can contain multiple values separated by the multi-value separator (default |). Whitespace around each value is trimmed.

Example cell value: 

jnovak|pdvorak|mmaly

Each value is resolved independently. Values that cannot be resolved are skipped with a warning.

The task only adds new guarantors — it never removes existing ones. Guarantors that were assigned previously (manually or by an earlier import) are left untouched regardless of what the current CSV contains.

System Linking Rules

The system-linking step runs after the Technical Account is saved so that it always has a valid database ID.

The task never updates an existing AccAccount — it does not change its system, mapping, or any other field. The system and mapping columns are only used when a new AccAccount needs to be created (new technical account with no matching uid on the system). For existing accounts, the task only creates a missing TechnicalAccountAccount link if one does not already exist.
Scenario Behaviour
systemcolumn not configured System linking is skipped entirely.
System name not found in CzechIdM Warning logged, system linking skipped for this row.
mappingcolumn not configured or mapping not found AccAccount is created without a system mapping reference.
New account, AccAccount with matching uid not found New AccAccount created on the system; TechnicalAccountAccount link saved.
New account, AccAccount with matching uid already exists Existing AccAccount is linked (no duplicate AccAccount created).
Existing account, AccAccount with matching uid found TechnicalAccountAccount link created if it does not already exist.
Existing account, AccAccount with matching uid not found Warning logged, AccAccount creation skipped to avoid triggering unintended provisioning.
Why no AccAccount creation for existing accounts?
The import task assumes that if a Technical Account already exists in CzechIdM, its provisioning links were set up previously (either manually or by an earlier import run). Attempting to create a new AccAccount would trigger CzechIdM's provisioning engine, which would try to CREATE the account on the real system — causing a UID conflict because the account already exists there.

Technical Asset Assignment

The technicalassetcodecolumn column is only processed when canchangeta = true. When canchangeta = false the column is ignored even if it is present in the CSV and a matching Technical Asset exists in the system.

Scenario Behaviour
canchangeta = false Technical Asset column is ignored entirely.
canchangeta = true, asset found by external code Account's technicalAsset reference is set.
canchangeta = true, asset code not found Warning logged, technicalAsset left unchanged.

Dry-Run Mode

The task supports CzechIdM's built-in dry-run flag. When dry-run is enabled:

  • No Technical Accounts are created or updated.
  • No guarantors are assigned.
  • No AccAccounts or TechnicalAccountAccount links are created.
  • New accounts are not logged — because no entity is persisted there is no object to attach a log entry to. Only accounts that already exist in the system (updates/skips) produce item-level log entries.
  • Would-be operations are written to the application log at INFO level (prefix [DRY-RUN]).
  • The task counter still increments so you can verify the row count.
To execute a dry run, enable the Dry run toggle when scheduling the task in the UI, or set dryRun = true on the IdmLongRunningTaskDto before calling LongRunningTaskManager.executeSync() in code.

Result Codes

Code State Description
CSV_IMPORT_ACCOUNT_CREATED EXECUTED Technical account was created.
CSV_IMPORT_ACCOUNT_UPDATED EXECUTED Technical account was updated.
CSV_IMPORT_ACCOUNT_SKIPPED NOT_EXECUTED Technical account was skipped.
Rows skipped because cancreate = false are counted in the progress counter but not written to the item log (no persisted entity is available to attach the log entry to).

Examples

Minimal CSV Example

Only identifier and code columns — no system, guarantors, or asset. 

identifiercolumn;codecolumn
svc-api-gateway;SVC_API_GATEWAY
svc-db-reader;SVC_DB_READER
svc-batch-runner;SVC_BATCH_RUNNER

Task configuration:

Parameter Value
identifiercolumn identifiercolumn
codecolumn codecolumn
cancreate true
canoverwrite false

Full CSV Example

identifiercolumn;codecolumn;descriptioncolumn;validfromcolumn;validtillcolumn;systemcolumn;mappingcolumn;directidentitycolumn;guaranteerolecolumn;technicalassetcodecolumn
svc-ldap-reader;SVC_LDAP_READER;LDAP read-only service account;2024-01-01;;CMS AD - Users;AD users provisioning mapping tech.;jnovak|pdvorak;role-ldap-admin|role-infra-team;ASSET-001
svc-db-backup;SVC_DB_BACKUP;Database backup service account;2024-01-01;2026-12-31;CMS AD - Users;AD users provisioning mapping tech.;mpolak;role-dba;ASSET-002

Task configuration:

Parameter Value
identifiercolumn identifiercolumn
codecolumn codecolumn
descriptioncolumn descriptioncolumn
validfromcolumn validfromcolumn
validtillcolumn validtillcolumn
systemcolumn systemcolumn
mappingcolumn mappingcolumn
directidentitycolumn directidentitycolumn
guaranteerolecolumn guaranteerolecolumn
technicalassetcodecolumn technicalassetcodecolumn
multivalueseparator |
cancreate true
canoverwrite true
canchangeta true
A blank validtillcolumn cell (like the first row above) leaves the field unchanged — it does not clear an existing validTill date.
  • by cem