Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Alternative administrator accounts

Alternative administrator accounts

 

Introduction

The document IdentityIQ Secure Deployment Guide contains a recommendation to replace the spadmin account with an alternative, non-default, administrator account. The spadmin account will still exist, but should no longer be used and its password should be stored in a safe place for emergency situations.

There are multiple ways to achieve this.

 

Alternative account

A simple way to create an alternative administrator-account is by adding an identity using an XML document, similar to the standard spadmin-account. It must have a different name and id, or the id must be left empty. It must have the SystemAdministrator capability. To prevent accidental deletion it could be marked as protected. The password can be encrypted using the console, or left empty and filled in later through the user interface.

 

As an example, one could use the following XML:

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Identity PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<Identity name="altadmin" password="2:7ShTsZ++2jXLeI857XPMSAQO0Eec3V9eSHaQwFHsNR4=" protected="true">

  <Attributes>

    <Map>

      <entry key="displayName" value="Alternative Administrator"/>

      <entry key="email"/>

      <entry key="firstname" value="Alternative"/>

      <entry key="lastname" value="Administrator"/>

    </Map>

  </Attributes>

  <Capabilities>

    <Reference class="sailpoint.object.Capability" name="SystemAdministrator"/>

  </Capabilities>

</Identity>

 

Workgroup

Another, more flexible option is to create a workgroup in IdentityIQ and assign the SystemAdministrator capability to that workgroup. Then all the identities that need the SystemAdministrator capability can be added to the workgroup as members.

Edit_Workgroup.png

Members of the workgroup will inherit the capabilities assigned to the workgroup.

 

Role

Yet another option to create alternative administrative accounts is by using roles. By default, none of the available role types can be used to assign capabilities. All out of the box role types have the option "Disallow Granting of IdentityIQ User Rights" enabled. In order to enable assignment of capabilities using role this option must be disabled, either on an existing role type (most likely Entitlement or IT) or a new custom role type.

Cursor_and_Edit_Role_Type_Definition.png

Once you have configured a role type with the option to grant IdentityIQ capabilities, you can create a new role that grants SystemAdministrator rights to those identities to whom the role has been assigned.

Role_Editor.png

Such a role can be used in standard access request processes or can even be assigned automatically based on for example a job title.

Comments
jennifer_mitchell
‎Oct 03, 2018 11:19 AM
‎Oct 03, 2018 11:19 AM

Two things:

  1. As this discussion is expanding, please take this over to the IdentityIQ Forums​ so it is more readily searchable for others in the future and doesn't confuse the issue for readers of this article in the future.  You can use the Share feature to bring it to my attention and to the attention of others on this thread so they know where the conversation went.
  2. Your statement doesn't exactly make sense to me - if spadmin owns everything, you won't be disabling spadmin, will you?  That seems odd.  But I guess if you do, having a disabled identity own things doesn't hurt anything except that the system will potentially still assign work items to that person and they won't be able to log in to address them.  Of course, you can make it forward work items assigned to that user according to the Inactive user work item escalation rule you configure for your installation.
menno_pieters
‎Oct 03, 2018 04:51 PM
‎Oct 03, 2018 04:51 PM

Jennifer is right. Removing spadmin's credentials will effectively disable it (making it impossible to log in as spadmin). Make sure to set a forward to an alternative user. An option that you may want to look into is the Impersonate Plugin​, that allows selected users to temporarily become spadmin or equivalent (if configured correctly).

vadsrini
‎Oct 03, 2018 09:33 PM
‎Oct 03, 2018 09:33 PM

Hello Menno,

I have posted my query in form, Disabling spadmin​ need your guidance

Version history
Revision #:
2 of 2
Last update:
‎Jul 27, 2023 10:09 PM
Updated by:
Community Administrator
 
View Article History