Workspace.Members.Import Csv
Tags: members, users
Endpoints
POST /members/import- ImportPOST /members/import/preview- Preview
Import
POST /api/v2/w/{workspace_uuid}/members/import
Description:
Workspace member management
Import members from CSV file with streaming progress updates.
identity_conflict_policy='overwrite_identity_fields' is intended to be
sent only after an operator reviews a preview. Two known, accepted limits:
- Preview→commit is not transactional (TOCTOU): the commit re-classifies each
row against live DB state, so under the default
skippolicy a row that became a conflict after the preview is still skipped. Underoverwritethe operator's prior approval is applied to current state, so an identity that changed between preview and commit is overwritten on the stale approval. Closing this would require optimistic locking / a preview token. - Preview-first is advisory, not enforced:
overwriterequires onlyMEMBERS_ADMIN(which can already mutate identity via the member-update API) and every overwrite is audited; there is no backend gate requiring a prior preview call.
Authorization: Requires members:admin scope
Parameters:
file(UploadFile)new_member_role_id(Integer)trust_email_addresses(Boolean)trust_phone_numbers(Boolean)identity_conflict_policy(IdentityConflictPolicy)
Preview
POST /api/v2/w/{workspace_uuid}/members/import/preview
Description:
Workspace member management
Read-only preview classifying each CSV row before any write (GRA-5545).
Returns create/update/unchanged/conflict/error counts plus, for phone-only
identity conflicts, the existing vs incoming identity so the operator can
decide before committing. @phi_audit(bulk=True) because the response can
surface existing Member PHI in bulk; the response is never logged.
Design trade-off (accepted): returning existing name/date_of_birth for
conflicted rows lets one authorized call enumerate identity PHI for the
matched members. This is the explicit purpose of the conflict-review flow —
the operator must compare existing vs incoming to choose skip/overwrite — and
is bounded to phone-only conflict rows, gated by MEMBERS_ADMIN and the
bulk PHI audit above. Identity is not returned for create/update/unchanged
rows (PHI minimization).
Authorization: Requires members:admin scope
Parameters:
file(UploadFile)new_member_role_id(Integer)trust_email_addresses(Boolean)trust_phone_numbers(Boolean)
Response: See MemberImportPreviewResponse