Doesn’t the method Delete Embedding Credential of a user instead of deleting a user? I am inexperienced in Looker, so I may not understand some naming conventions, though… What I need is to identify and delete of users of the type embed whose external_user_id ends with a certain string. Those are no interactive users, they get authenticated outside Looker and have no credentials of their own.

more specifically, what happens to an embed user (created by Looker on the fly per SSO embed request) after session_length seconds pass?

It requires the user to login again.

Yes, it would delete the credentials of one embed user not the user itself. 

You can use the API to get all embed credentials including the external_user_id field:

https://docs.looker.com/reference/api-and-integration/api-reference/v3.1/user#get_all_embedding_cred...

Then, use the delete user API to delete the list of user IDs (one at a time - there is no bulk delete that I know of) that meet your criteria:

https://docs.looker.com/reference/api-and-integration/api-reference/v3.1/user#delete_user

Thank you, @cranium025! 

I can see I need to work on how to mark users so that I can search for them…

user_for_credential(credential_type, credential_id, fields) looks hopeful, but it’s a shame it doesn’t support wildcards, otherwise I would use it like:

user_for credentials(‘embed’, ‘%@12345’)

But instead, I will probably create fictitious emails (or even last_name = 12345) so that I can do 

search_users_names(pattern = ‘%@12345’, fields, page, per_page, sorts, id, first_name, last_name, verified_looker_employee, email = true, is_disabled)

on them.