Hi @Mridu27 

Unfortunately there isnt a capability to disable a user in Splunk, there is an Idea raised for this which you might like to upvote though - https://ideas.splunk.com/ideas/PLECID-I-682

There are a few options to prevent users accessing Splunk, some mentioned on other answers such  as the one @kiran_panchavat  suggested (https://community.splunk.com/t5/Security/Disable-user-account-temporary/td-p/396592) however in the currently supported versions it isnt possible to remove all roles from a user, and I wouldnt recommend editing the web.conf to limit by IP as if you are disabling a user for security concerns then they still may be able to access via other IPs, and you also risk blocking out valid users.

Ultimately the best solution may boil down to your specific environment, e.g. OnPrem/Splunk Cloud, Local users, LDAP or SSO/SAML.

What are you using for authentication? If you are using local Splunk accounts then I would recommend creating a blank role with No capabilities and No roles inherited - This means that they cannot interact with Splunk if they attempted to login, they couldnt run a search for example. Then assign only that role to the user.

However - if you are using SAML/SSO then its the SAML provider that sends the groups that the user belongs to, in this scenario you should disable the user or remove the groups from the Identity Provider, as changing these in Splunk will mean they get overridden if they logged in!

Quick side note - You may see an "Active" status next to users in Splunk User list - whilst there isnt a capability to disable users, a user can be in "locked out" state if they fail to login too many times.

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

@Mridu27 

You can either remove all roles associated with the user or simply delete the user all together.

There is no way to disable accounts unfortunately.

Some suggestions:

• Take away all their roles including user.
• Change the passwords on the accounts (you will need to give them new passwords when you are done)
• You could edit web.conf and use the acceptFrom parameter to limit logins only to specific IPs or a subnet.

acceptFrom = <network_acl> ...

* Lists a set of networks or addresses from which to accept connections.
* Separate multiple rules with commas or spaces.
* Each rule can be in one of the following formats:
    1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
    2. A Classless Inter-Domain Routing (CIDR) block of addresses
       (examples: "10/8", "192.168.1/24", "fe80:1234/32")
    3. A DNS name, possibly with a "*" used as a wildcard
       (examples: "myhost.example.com", "*.splunk.com")
    4. "*", which matches anything
* You can also prefix an entry with '!' to cause the rule to reject the
  connection. The input applies rules in order, and uses the first one that
  matches.
  For example, "!10.1/16, *" allows connections from everywhere except
  the 10.1.*.* network.
* Default: "*" (accept from anywhere)