Splunk Cloud Platform

how users are deprovisioned from Splunk Cloud

sc_admin11
Engager

Considering our current setup i.e authentication and Authorization integrated with SAML, how do we
1. mark an user inactive

2. what do we do with his/her knowledge objects.

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I just checked a Splunk Cloud stack and the only users with the delete option are local.  The SAML users do not have the Edit action, therefore no delete.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

1. You can't.  Splunk doesn't know if a user is active or not - only that they pass authentication (or not).  A user never signing in is just a user who never signs in rather than an inactive/expired user.  You can, however, file a support request to have the user removed.

2. Assign the user's KOs to another user.  Go to Settings->All configurations and click the "Reassign Knowledge Objects" button.

---
If this reply helps you, Karma would be appreciated.

sc_admin11
Engager

If we delete user without reassign KO to other user. Than what would happen with that KOs.

@richgalloway 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The KOs will remain, but will become "orphans" (owned by nobody).  They can be re-assigned to another user, however.

---
If this reply helps you, Karma would be appreciated.
0 Karma

sc_admin11
Engager

Is there any search query from which we can get the inactive users? @richgalloway @_JP 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This query will tell you when each user last logged in.  It's up to you to decide which of them is "inactive".

| rest /services/authentication/users splunk_server=local | table title last_successful_login
---
If this reply helps you, Karma would be appreciated.

sc_admin11
Engager

@richgalloway in table i got empty column for 

last_successful_login

 Screenshot 2023-10-26 at 12.11.48 PM.png

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...