Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can the REST call to delete a user from Splunk be called from the search command "|rest /services/authentication/users/"?

pgreer_splunk
Splunk Employee
Splunk Employee
‎07-18-2016 09:52 AM

I believe the answer to this is 'no' - but, worth asking to make sure:

Can the rest call to delete a user from Splunk be called from the search '| rest' command?

End point is documented here: http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTREF/RESTaccess#authentication.2Fusers.2F.7Bnam...

Of course I can get info for the user from the search:

|rest /services/authentication/users/user1

And sure I can delete a user with the command:

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/users/user1

But - for a user of Splunk Cloud (not having access to the CLI or REST outside of Cloud), can the search | rest /services/authentication/users/user1 be used in some form to perform the DELETE operation?

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-18-2016 11:01 AM

You're correct on guessing the answer. No, the rest search command only supports GET calls.

On the other notes, if you're looking for a way to be able to delete the user from search, have a look at the custom search command. You can create your own search command to call the curl command to delete user.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Aboutcustomsearchcommands
http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

View solution in original post

Reply
Solved! Jump to solution

dominiquevocat
Motivator
‎08-03-2017 07:33 AM

Maybe this helps?
https://splunkbase.splunk.com/app/2775/

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-18-2016 11:01 AM

You're correct on guessing the answer. No, the rest search command only supports GET calls.

On the other notes, if you're looking for a way to be able to delete the user from search, have a look at the custom search command. You can create your own search command to call the curl command to delete user.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Aboutcustomsearchcommands
http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Reply
Solved! Jump to solution

pgreer_splunk
Splunk Employee
Splunk Employee
‎07-18-2016 02:45 PM

Thought that was the case. Thanks for confirming!

Leads me to put into place an enhancement request. For SAML authentication, there is not a way to delete a user once provisioned through a successful SAML interchange. With locally defined users, the admin role can easily remove the user through the UI, with LDAP we support the ability to have LDAP remove the user in Splunk, with SAML - nope. So once the user is defined, if the person leaves the organization they're removed from the IDP - so technically they can't log in, but their user definition sits out in Splunk (indefinitely - or until Splunk Ops/Support performs the remove from the CLI (curl command)).

0 Karma
Reply
Solved! Jump to solution

pagillar
Explorer
‎11-15-2022 07:07 AM

Just wondering if you ever got solution to remove saml users once user is disabled or left organization , as you said user is defined and it stays in splunk.

0 Karma
Reply
Solved! Jump to solution

ASierra
Explorer
‎12-23-2022 05:39 AM

This is to remove a SAML user that has left the organization. Before deleting, reassign any objects, reports, and alerts that user may have.

 

curl -k -u <adminaccount>:<password> --request DELETE https://<instancename>.splunkcloud.com:8089/services/admin/SAML-user-role-map/username@domain.com

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...