How do I remove/restrict the rights of a user/role so they can't delete data in Splunk?

Path Finder

We need to remove/restrict the rights to delete data in Splunk. i want to list all roles/user who currently have this right on all search heads so we can proceed with remove of these rights.

0 Karma

Ultra Champion

No user has "can_delete" role by default. So unless you have given this capability to another role, then no one should have it.

To list all the users and the roles they have you can use:

 |rest /services/authentication/users splunk_server=local 
 |fields title roles realname
0 Karma