The "spadmin" Account and System Administrator Capability

The spadmin account is the most powerful account of the IdentityIQ system, similar to the root account on a Unix system or an Administrator account on Windows. A common recommendation for securing a Windows installation is to create an alternate administrative account and disable the original. For IdentityIQ, creating an alternative account is a good practice, but the spadmin account should not be disabled. The spadmin password, however, should always be changed from the default to a strong password per your company's security policy.

If an alternate administrative account is created for IdentityIQ, make sure to protect this account from deletion by setting the protected attribute to true on the identity, in the Identity object (for example, <Identity name="altadmin" password="****" protected="true">)

If multiple persons operate the IdentityIQ system as administrators, a good practice is to create separate administrative accounts for each administrator. Alternatively, you can create a work group with system administrator capabilities and add the persons who operate the system as members of the work group.

IMPORTANT: The spadmin identity is used as an owner of some system objects as well as a fallback owner for objects such as work items when the appropriate owner is not specified or cannot be determined. This adds resiliency and stability to the system. At this time, an identity named spadmin must exist in the system.