Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how users are deprovisioned from Splunk Cloud

sc_admin11
Engager
‎10-17-2023 12:17 PM

Considering our current setup i.e authentication and Authorization integrated with SAML, how do we
1. mark an user inactive

2. what do we do with his/her knowledge objects.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2023 12:34 PM

I just checked a Splunk Cloud stack and the only users with the delete option are local.  The SAML users do not have the Edit action, therefore no delete.

---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2023 12:23 PM

1. You can't.  Splunk doesn't know if a user is active or not - only that they pass authentication (or not).  A user never signing in is just a user who never signs in rather than an inactive/expired user.  You can, however, file a support request to have the user removed.

2. Assign the user's KOs to another user.  Go to Settings->All configurations and click the "Reassign Knowledge Objects" button.

---
If this reply helps you, Karma would be appreciated.
Reply

sc_admin11
Engager
‎10-20-2023 03:39 PM

If we delete user without reassign KO to other user. Than what would happen with that KOs.

@richgalloway 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-20-2023 05:13 PM

The KOs will remain, but will become "orphans" (owned by nobody).  They can be re-assigned to another user, however.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sc_admin11
Engager
‎10-23-2023 05:53 AM

Is there any search query from which we can get the inactive users? @richgalloway @_JP 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 05:59 AM

This query will tell you when each user last logged in.  It's up to you to decide which of them is "inactive".

| rest /services/authentication/users splunk_server=local | table title last_successful_login
---
If this reply helps you, Karma would be appreciated.
Reply

sc_admin11
Engager
‎10-26-2023 01:29 AM

@richgalloway in table i got empty column for 

last_successful_login

 Screenshot 2023-10-26 at 12.11.48 PM.png

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...