Working with the ‘spadmin’ account
The built-in account ‘spadmin’ is the most powerful account within IdentityIQ. It is similar in scope and function to ‘root’ in Unix or ‘administrator’ in Windows.
Some organizations may wish to rename or delete the ‘spadmin’ account, but these actions are not possible as this account is necessary for system stability and resiliency. An example of such function is where ‘spadmin’ acts as a fallback owner for objects in the system where an owner is not specified and cannot otherwise be determined.
Some organizations may wish to disable the ‘spadmin’ account, which is a supported function. Organizations which disable ‘spadmin’ are advised to first create one or more alternate administrative accounts and ensure that these objects are protected from deletion by setting the protected attribute (<Identity name="altadmin" password="****" protected="true">). Additionally, organizations which disable ‘spadmin’ must periodically check for and reassign objects which became owned by a disabled ‘spadmin’ account - a process which cannot be automated by the system and thus requires a routine manual check.
An additional best practice for working with the ‘spadmin’ account is to leverage a strong password policy featuring regular password changes, a practice which is in accordance with most organization’s security policy but should not be overlooked.
Good afternoon, @anchal_dube!
Could you please advise me what I can do after my spadmin is disabled and I don't have any another identities that have similar rights?
The issue is that spadmin identity somehow was correlated and after this became disabled.
I am working on my mock project and there are some ideas from me that I have tried already:
1. Get Object from IIQ Accelerator in VS code (not working)
2. Try to import init.xml (Don't have identity with access to console)
3. Create a row in SQL database with spadmin identity (unsuccessful)
Firstly it is advisable to create a backup account for which that identity should have "System Administrator" fuctionality.
In your case, as you don't have any backup account and "spadmin" is also disabled , please try following steps to resolve this issue.
1. In your sailpoint database(MSSQL or mysql or any other), firstly check if "spadmin" is present or not. If identity is present, note down its id value.
2. Now, from "capabity" table find corrosponding id value for "SystemAdministrator".
3. Now update both id values in table="identity_capabilities".
4. After updation, once restart sailpoint and your database.
NOTE- Screeshots attached for mysql database, please check respective things in your database. Also it is quite riskly to do modification like in production environment, so please make sure precautions for this.