Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IdentityIQ and the "spadmin" Identity

IdentityIQ and the "spadmin" Identity

Working with the ‘spadmin’ account 

The built-in account ‘spadmin’ is the most powerful account within IdentityIQ. It is similar in scope and function to ‘root’ in Unix or ‘administrator’ in Windows. 

Some organizations may wish to rename or delete the ‘spadmin’ account, but these actions are not possible as this account is necessary for system stability and resiliency.  An example of such function is where ‘spadmin’ acts as a fallback owner for objects in the system where an owner is not specified and cannot otherwise be determined. 

Some organizations may wish to disable the ‘spadmin’ account, which is a supported function. Organizations which disable ‘spadmin’ are advised to first create one or more alternate administrative accounts and ensure that these objects are protected from deletion by setting the protected attribute (<Identity name="altadmin" password="****" protected="true">).  Additionally, organizations which disable ‘spadmin’ must periodically check for and reassign objects which became owned by a disabled ‘spadmin’ account - a process which cannot be automated by the system and thus requires a routine manual check.   

 
An additional best practice for working with the ‘spadmin’ account is to leverage a strong password policy featuring regular password changes, a practice which is in accordance with most organization’s security policy but should not be overlooked. 

Labels (1)
Labels:
Comments
Arsenii_Shargorodskyi
‎Feb 28, 2023 05:12 AM
‎Feb 28, 2023 05:12 AM

Good afternoon, @anchal_dube!

Could you please advise me what I can do after my spadmin is disabled and I don't have any another identities that have similar rights?

The issue is that spadmin identity somehow was correlated and after this became disabled. 

I am working on my mock project and there are some ideas from me that I have tried already:

1. Get Object from IIQ Accelerator in VS code (not working)
2. Try to import init.xml (Don't have identity with access to console)
3. Create a row in SQL database with spadmin identity (unsuccessful) 

sagar_patil
‎Feb 02, 2024 07:49 AM
‎Feb 02, 2024 07:49 AM

Hi @Arsenii_Shargorodskyi ,

Firstly it is advisable to create a backup account for which that identity should have "System Administrator" fuctionality.

In your case, as you don't have any backup account and "spadmin" is also disabled , please try following steps to resolve this issue.

 

1. In your sailpoint database(MSSQL or mysql or any other), firstly check if "spadmin" is present or not. If identity is present, note down its id value.

 

identity.PNG

2. Now, from "capabity" table find corrosponding id value for "SystemAdministrator".

 

Capa.PNG

3. Now update both id values in table="identity_capabilities".

 

idCap.PNG

 

4. After updation, once restart sailpoint and your database.

NOTE- Screeshots attached for mysql database, please check respective things in your database. Also it is quite riskly to do modification like in production environment, so please make sure precautions for this.

 

Version history
Revision #:
2 of 2
Last update:
‎Feb 13, 2023 11:30 AM
Updated by:
SailPoint Employee
 
View Article History
Contributors