Import Users with Tokens

You can import token records and user records that were previously exported from another deployment. Users are imported into a single security domain, without group memberships. An unassigned token on the target deployment gets overwritten by a matching assigned token in the export file.

For information on how exporting users affects risk-based authentication (RBA), on-demand authentication (ODA), and RADIUS usage, see Exporting and Importing Users and Tokens Between Deployments.

Software token profiles are not imported. The association between the profile and the token is imported if the same profiles exist on the source and target deployments. For information on how to retain software token profile association for importing users with tokens, see .Exporting and Importing Users and Tokens Between Deployments.

The following information is not also imported:

  • Custom token attributes

  • Extended user attributes

  • Risk-based authentication device history

Before you begin

  • Understand how this operation will affect identity sources.See Exporting and Importing Users and Tokens Between Deployments.

  • Export the users and tokens from the source deployment.

  • If the users being imported will be stored in an external identity source on the target deployment, make sure the users already exist in the LDAP directory server that the target deployment uses.

  • Make sure you use the same User ID naming conventions on the source and the target deployments.

  • RSA recommends that you create a new security domain on the target deployment for the users and tokens being added. This makes it easier to isolate the new data and to verify its accuracy. Once you are satisfied that the import is correct, you can move this data to another suitable security domain.


  1. In the Security Console of the target deployment, click Administration > Export/Import Tokens and Users > Import Tokens and Users.

  2. In the Import Job Name field, specify the name of the import job.

  3. Select the import file location.

  4. Click Next.

  5. On the Security Domain Selection page, select the target security domain for these users and tokens. You can only select one security domain.

  6. Click Next.

  7. From the Identity Source Mapping page, select the identity source(s) on the target deployment where the system can find the associated user. If you select internal database, the user is created in the internal database on the target deployment.

  8. Click Next.

  9. On the Pre-Import Summary page, review the import operation details for accuracy.

  10. Click Import. You are directed to the Export/Import Status page. The import status is automatically refreshed.

    When the import is complete, the users are in the security domain that you selected with their assigned tokens.

  11. Run a report to view the resultsof the import job. Use the Imported Users and Tokens Report template. For more information, see Reports.

    Note: Make sure you specify the name of the import job when you run the report. Do not specify the name in the Job Name field in the Imported Users and Tokens template. Specifying it in the template will cause every report using that template to have the same name.

After you finish

Inform users that they must configure security questions and answers when they log on to the target deployment for the first time.