- Products & services Products & services
- Resources ResourcesCustomer resources
- Customer resources
- Customer support Find more information about engaging support and get help
- Services guide Find more information about working with Services teams
- Free resources Leverage our free tools and trainings
- Modernize to Identity Security Cloud Transition to the cloud for advanced capabilities and a future-ready security posture
Learning- Learning
- Identity University Get technical training to ensure a successful implementation
- SailPoint professional certifications & credentials Advance your career or validate your identity security knowledge
- SailPoint recertification program Get recertified by demonstrating ongoing learning
- Training onboarding guide Make of the most of training with our step-by-step guide
- Training FAQs Find answers to common training questions
- Community Community
- Compass
- :
- Discuss
- :
- Community Wiki
- :
- IdentityIQ Wiki
- :
- IdentityIQ and the "spadmin" Identity
- Article History
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Content to Moderator
IdentityIQ and the "spadmin" Identity
IdentityIQ and the "spadmin" Identity
Working with the ‘spadmin’ account
The built-in account ‘spadmin’ is the most powerful account within IdentityIQ. It is similar in scope and function to ‘root’ in Unix or ‘administrator’ in Windows.
Some organizations may wish to rename or delete the ‘spadmin’ account, but these actions are not possible as this account is necessary for system stability and resiliency. An example of such function is where ‘spadmin’ acts as a fallback owner for objects in the system where an owner is not specified and cannot otherwise be determined.
Some organizations may wish to disable the ‘spadmin’ account, which is a supported function. Organizations which disable ‘spadmin’ are advised to first create one or more alternate administrative accounts and ensure that these objects are protected from deletion by setting the protected attribute (<Identity name="altadmin" password="****" protected="true">). Additionally, organizations which disable ‘spadmin’ must periodically check for and reassign objects which became owned by a disabled ‘spadmin’ account - a process which cannot be automated by the system and thus requires a routine manual check.
An additional best practice for working with the ‘spadmin’ account is to leverage a strong password policy featuring regular password changes, a practice which is in accordance with most organization’s security policy but should not be overlooked.
