The body of the request is a JSON object with the following fields.
| Field
|
Required
|
Type
|
Description
|
| add_roles |
optional |
JSON Array |
An array of integers that are role IDs or role names. Must be only role ids or only exact role names. New roles to be added to the existing set of roles for the user. (Used to update a record.)
|
| allowed_ips |
optional |
JSON Array |
A whitelist of IPs (CIDR netmask allowed) for automation/service accounts to restrict Splunk SOAR (On-premises) server access with the associated token. Default is an empty list, or no access.
|
| default_label |
optional |
string |
The default label to apply to containers created by an automation user. Only applies to automation/service accounts.
|
| default_tenant_id |
optional |
integer |
The default tenant to apply to containers created by an automation user. Only applies to automation/service accounts. Is overridden by the asset's tenant id or an explicit tenant id.
|
| email |
optional |
string |
Use this field if the username is not an email address or the user should be contacted at an email address that is different than the username. If this field does not contain a valid email address, the user will not receive email notifications.
|
| first_name |
optional |
string |
User's given name.
|
| type |
optional |
string |
The type of authentication to confirm user identity, "normal" (used for local users), "ldap", "openid", or "saml2".
|
| last_name |
optional |
string |
User's family name.
|
| location |
optional |
string |
Physical location of th user. Usually an office or city location.
|
| password |
optional |
string |
Password for the user in clear text (communication happens over HTTPS for security). This field is required when creating a non-AD user. Otherwise is optional. Cannot be used on an AD user.
|
| remove_roles |
optional |
JSON Array |
An array of integers that are role IDs or role names. Must be only role ids or only exact role names. List of roles to be removed from the existing set of roles for the user. (Used to update a record.)
|
| roles |
optional |
JSON Array |
Array of integers that are role IDs or role names. Must be only role ids or only exact role names. This sets or completely replaces the user's roles. Overrides add_roles and remove_roles.
|
| time_zone |
optional |
string |
Time zone user works in. See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of time zones.
|
| title |
optional |
string |
User's title.
|
| type |
optional |
string |
Set to "automation" when creating a automation/service account. Can only be set when creating a user, ignored on update.
|
| username |
required |
string |
User's login name.
|
| 2fa |
optional |
string |
String indicating two factor authentication for the user. Currently the only valid values for this are "duo" and null.
|
| 2fa_username |
optional |
string |
Username to use for 2FA if not using the user's username.
|
Example request
Create a standard user.
curl -k -u admin:changeme https://localhost/rest/ph_user \
-d '{
"username": "john.doe@example.com",
"first_name": "John",
"last_name": "Doe",
"email": "john.doe@example.com",
"title": "Automation Engineer",
"location": "Palo Alto",
"time_zone": "US/Pacific",
"password": "cleartextpassword",
"roles": [8, 14, 23],
"2fa": "duo",
"2fa_username": "johndoe"
}'
Example request
Create an automation/service user. Fewer fields are required for this type of user.
curl -k -u admin:changeme https://localhost/rest/ph_user \
-d '{
"allowed_ips": ["10.10.0.0/16"],
"username": "service_account",
"roles": ["Automation"],
"type": "automation"
}'
Example request
Create an LDAP user. Fewer fields are required for this type of user.
curl -k -u admin:changeme https://localhost/rest/ph_user \
-d '{
"username": "john.doe@example.com",
"email": "john.doe@example.com",
"time_zone": "US/Pacific",
"type": "ldap",
"roles": [8, 14, 23],
"2fa": "duo",
"2fa_username": "johndoe"
}'
Example response
A successful response includes the numeric Id given to the user.
{
"id": 34,
"success": true
}
Download manual
Feedback submitted, thanks!