We need to remove/restrict the rights to delete data in Splunk. i want to list all roles/user who currently have this right on all search heads so we can proceed with remove of these rights.
No user has "can_delete" role by default. So unless you have given this capability to another role, then no one should have it.
To list all the users and the roles they have you can use:
|rest /services/authentication/users splunk_server=local
|fields title roles realname