We are planning to move to SAML SSO soon. One of the drawbacks of SAML is that you cannot authenticate on the API any longer. Up to this point, any user defined to use splunkweb has had access to the API. How can I find out who will be impacted by yanking API access?
I'd start with this query.
index=_internal source="*splunkd_access.log" NOT (user="-" OR user="splunk-system-user")
| dedup user
| table user
The catches both API and splunkweb users. I'm not clear how to isolate them
Try:
SearchHeadLevel - platform_stats.audit metrics users
SplunkAdmins GitHub or Alerts for Splunk Admins (splunkbase)