# Assigning & Removing Users & Groups from Object Record Roles Using Vault Loader [Vault Loader](/en/lr/26597/) allows you to assign users and groups to roles and remove users and groups from roles on object records in bulk. The _Assign Users & Groups to Roles_ and _Remove Users & Groups from Roles_ actions are available for objects that have enabled custom sharing rules or matching sharing rules. ## How to Load Object Record Roles Before loading object roles, prepare the CSV input file containing user field names and values. To load object record roles: 1. In the left panel of the **Loader** tab, click **Load**. 2. For the **CSV File**, click **Choose** and select the CSV input file. 3. In the **Entity Type** drop-down, select an object type. The object must have custom sharing rules or matching sharing rules enabled. 4. In the **Action Type** drop-down, select **Assign Users & Groups to Roles** or **Remove Users & Groups from Roles**. 5. Click **Start Load**. Before processing the request, Vault [validates the selected CSV file][1]. If the file is valid, Vault begins processing the request. When finished, you'll receive a [Vault notification and email](/en/lr/26597/#loader-notifications-outputs) with request details and CSV output files. ## Preparing CSV Input Files {#preparing} The first column must be the object record ID. To add or remove users from roles, add a column header with the format `{role__c}.users`. To add or remove groups from roles, add a column header with the format `{role__c}.groups`. Add comma-delimited user and group IDs under the appropriate header for each object record ID. | id | reviewers__c.users | reviewers__c.groups | editors__c.groups | | -- | -- | -- | -- | | 346 | 61584,61531 | 29 | 35 | | 320 | | | | ## Retrieving Object Record Roles Object record roles map to _Application Role_ records. You can find all available application roles with corresponding names by navigating to **Admin > Users & Groups > Application Roles**. ## Retrieving IDs You can get object record IDs and user and group IDs with corresponding names by extracting them with Vault Loader. ## Invalid Input {#invalid-input} * When assigning users and groups to roles, Vault Loader ignores duplicate user and group IDs in the input but throws an error for invalid or inactive IDs. * When removing users and groups to roles, Vault Loader ignores invalid or inactive user and group IDs. * When inserting sharing rules for an inactive user, the entire load fails. [1]: #invalid-input [2]: #preparing