I have about 125 accounts I need to change the role on. This has to be possible via the REST API. Any thoughts from anyone out there in splunk land?
I'd edit the configuration file from the CLI. By the time you scripted a solution via the REST API, you could have hand-typed the changes (of course you should be using search-and-replace tools, not hand editing everything)
If this is related to https://answers.splunk.com/answers/561656/adding-users-via-rest-api-on-search-head-cluster.html then don't touch config files on the search heads. SHC doesn't like that.
It does if you do it on the Deployer 😆
Ideally, you'd move the users into different groups in your LDAP, or map the users' group to a different role in your LDAP mapping inside of splunk.
Failing that, you can of course modify users via REST - after all, any click you do in the UI translates to a REST call under the hood. Check out http://docs.splunk.com/Documentation/Splunk/6.6.2/RESTREF/RESTaccess#authentication.2Fusers - the POST takes a roles parameter to update role assignment.
