Thank you harsmarvania57 for the details , great to hear its been implemented. Ours is SH cluster with 1200+ users & we are asked to work on this approach.

Have below questions, can you please shed more light on them

1) How did you map the users to the roles, is it using rest api or via splunk gui? Hope it is rest api. Also if needed i think we would be able to map the user to role from gui as well right?
2) Once the user is mapped to role, do you call some end point to refresh the authentication ? Hope refresh does not need restart of splunk instance.

On your cons #1 & #2 , is this not the case where we use LDAP groups instead of user as group? Also this delay is caused due to the user to group conversion part is it? How are listing these cons, did you compare?

On #3, if we use REST API, it is enough if we remove on the master and then the changes will be circulated to all the cluster members right?

Also can you please check below question of mine and let me know how you tackle it in your implementation.
https://answers.splunk.com/answers/738859/how-to-get-list-of-users-removed-from-ldap-but-are.html

Please find below answers

1. You can go with both the approach , REST API and GUI. If you need to provide access to 1-2 users then it will fine using GUI but let's say you need to provide access to 20 users then REST API is best. When you use GUI and click on "Map Groups" it will display all UserID as groups in Splunk Web (Keep in mind that after user to group conversion those group names are case sensitive, For example after user to group conversion - group name will be A12345 and if you add a12345 in authentication.conf then it will not work).
2. For authentication refresh, I have seen some anomaly. When I added user using REST API and reloaded (Refresh) authentication using Splunk Web, it refreshed on single SH in SH Cluster so sometimes I need to login to all SH members and need to refresh authentication (But this one I used on Splunk 6.x not on Splunk 7.x). Also I noticed that if you do not refresh authentication then at certain interval splunk automatically refresh in background and user will populate automatically on all SH members so if you are not in hurry to provide access to users then I guess reload/refresh is not require.

When you use LDAP groups to map with roles it is giving faster auth compare to group to user conversion and act that user as group, I don't have actual benchmark results for this but I have seen delay when we convert user to group.

When you use REST API, you need to fire that REST API on any single SH member in SH Cluster and it will automatically replicate configuration to other members in same SH cluster (I wrote script for this for one of the customer and script was using REST API and it was working fine to provide access but you need to provide access for each and every role(s), For exa. you have 100 roles then it was difficult to provide access to user(s) for all 100 roles, more development was needed for that script but I am no more working for that customer)

For your another question, we were running search to pull all users with roles once a week and ingesting those into summary index and after few hours another search runs on weekly basis to compare last 2 week results and if any users removed from LDAP then that scheduled search sent email to Splunk Admins and then Admin use that script to remove users from authentication.conf

@harsmarvania57 thank you very much for sharing such detailed inputs for each of the questions. Will reach back if i run into any issues with this implementation, please do keep an eye on this thread:). Apologies for delay in reverting back as i have been swarmed by other application issues and this task was off my radar for a while.