I have been diving into SailPoint's world recently and as anyone who's just taking their first steps, I made a couple of mistakes when working with a basic configuration item. In this post, I try to outline what I did wrong and how you can avoid falling into the same pitfalls when trying to add new break glass administrators.
What Is IDN Admins?
As you would expect, you can configure multiple sources from where SailPoint can collect information that's later used to build user identities. These sources include HR platforms, Active Directory, and even good old files. IDN Admins is the first source created on any SailPoint tenant once it's provisioned, and it includes one administrator account by default.
IDN Admins is – simply put – a CSV file that includes information about the first users of your SailPoint tenant. When you finalize your contract, SailPoint will ask you for the information of your first administrator account, and that information is used to fill in the first version of the file, then import it into the platform.
As you can imagine, you could add more users to this source by downloading the file and adding the new users to it, then importing it back into your tenant. Sounds simple, right? Well, not quite. I hit a couple of small snags while trying to perform these operations, and I will tell you about them in the reminder of this post.
Faulty Assumptions
I made a couple of assumptions when I started working on this task, both assumptions were proven wrong rather quickly and one of them resulted in a support ticket.
- I assumed that when I import the new version that includes new users, it wouldn't override the existing users, turns out, it did.
- Likewise, I assumed that when the new users are imported, they will also be granted the administrator rule, turns out, they don't and an existing administrator must grant that role manually.
Lesson learned? Don't make assumptions, it will end up in misery.
Failed Imports
The process for updating this file is super simple. You download the file from the source configuration page, add your new users, save it as CSV, and upload it to the system. The import process takes few seconds. Simple as it may seem, the import operation kept failing every time I attempted it.
After some troubleshooting and trail & error, I figured out the issue. My imports were failing because:
- I didn't include all the required fields when adding new accounts. A simple oversight that was corrected after reading this article on Compass (SailPoint's Community).
- Excel was messing with the file format. Once I used a different editor, the last of my problems got resolved.
Once I resolved the issues, the import worked, but things weren't fully smooth, not yet.
Death By Omission
Thanks to the assumptions I made and once I fixed the import issues, I successfully removed my account and made it so there were no admins on the tenant, just the ending I was looking for /s.
Since I didn't keep my existing account record in the CSV file, it got removed when my import succeeded. You would say, but Ahmed, you still have the new administrator you just added, and you are right. Except for one thing, it's not an administrator, just a normal user. Talk about shooting yourself in the foot.
Not to worry, I opened a support ticket and the wonderful support team resolved the issue promptly, and I was back into my administrator account, ready to commit more shenanigans.
Epilogue
I learned a couple of things from my mistakes, and I hope now you know better than to make the same ones. Here is a short checklist for when you need to do the same procedure but want to avoid the pitfalls.
- Make sure your current administrators are in the CSV file and that all the required fields are filled in with proper information.
- Save the file as CSV.
- Once import is done, grant the new users the administrator role.
Links
- SailPoint | Identity Security for the Cloud Enterprise
- SailPoint Compass Community
- How do I update the list of IdentityNow administrators? - Compass (sailpoint.com)