Disabling the Default Admin User of the System
If required, the default “admin” user of the system (also known as the "admin user of the built-in default tenant", and hereinafter referred to as the “default admin user”) of the system, can be disabled for security reasons (since this user has no limitations on what they have access to, and what actions they can perform in the system).
NOTE: The user name "admin" is the default name (and may have been changed) that is defined during installation of Syteca Application Server.
After disabling the default admin user, any other Management Tool users in the default Administrators user group can instead administer the system, but in a limited and configurable manner (i.e. what they have access to, and what actions they can perform is limited, and can be configured as required).
NOTE: To disable the default admin user, at least one user must first be added to the default Administrators user group.
Table of Contents
1. Disabling the Default Admin User
To disable the default admin user of the system, do the following:
1. Log into the Management Tool as any user in the default Administrators user group (except the default "admin" user).
NOTE: Only a user (either added as an internal user or Active Directory user, or belonging to an Active Directory user group added) in the default Administrators user group can disable the default admin user.
2. Click on the Users navigation link (on the left).
3. On the Users page that opens, edit the default “admin” user of the system by clicking on the Edit User (
4. On the Editing User page, on the User Details tab that opens, click the Disable User button (in the bottom left of the page).
NOTE: The Disable User button (which is only available when editing the Default admin user) is only displayed if at least one internal user or Active Directory user / user group has been added to the default Administrators user group.
5. Click Confirm in the Warning popup window that opens.
NOTE: The default admin user cannot be disabled (i.e. the Confirm button is not displayed) if they are the only user having ownership of any existing options/rules (i.e. Reports, Secrets, Access Requests, and USB Rules) added in the Management Tool. Therefore, at least one other user must first be added to all such options/rules (or these options/rules can instead be deleted).
2. Requirements (and Where to Find the Options/Rules) for Disabling the Default Admin User
It is not possible to disable the default admin user in the following cases, unless the requirements described below are first met:
| Оptions/Rules | Case | Requirement (to be Able to Disable the Default Admin User) |
| Scheduled Reports | The default admin user is the only user in a Scheduled Report rule who can download the reports generated. | To disable the default admin user, at least one other user must first be added in the Who Can Download section of the Scheduled Report rule. NOTE: If the default admin user is the owner of (i.e. the user who added) the Scheduled Report rule, then when the default admin user is disabled, the Scheduled Report rule stops running and is not displayed (on the Scheduled Reports tab) on the Reports page. |
| Secrets | The default admin user is the only Owner of a secret. | To disable the default admin user, at least one other user must first be added to the secret as an Owner of the secret. |
| The default admin user is the only Owner of a folder. | To disable the default admin user, at least one other user must first be added to the folder (that secrets are stored in) as an Owner of the folder. | |
| Access Requests | The default admin user is the only user who can approve Endpoint Access requests. | To disable the default admin user, at least one other user must first be added to the Users Who Can Approve Access field in the Endpoint Access Control user (i.e. rule). |
| The default admin user is the only user who can approve One-Time Password requests. | To disable the default admin user, at least one other user must first be added to the Users who can approve access field (on the Authentication Options tab), on the Editing Client / Editing Client Group page. | |
| The default admin user is the only user who can approve Access to Usage of Secret requests. | To disable the default admin user, at least one other user must first be added to the Users who can approve access field (on the Restrictions tab), on the Edit Secret page. | |
| The default admin user is the only user who can approve Mass Storage Device Access requests. | To disable the default admin user, at least one other user must first be added to the Users who can approve access field (on the Additional Options tab) in the USB rule. |
NOTE: When the default admin user is disabled, it is not possible to delete the last remaining user from the default Administrators user group.
3. Restrictions in Functionality After Disabling the Default Admin User
a) Pseudonymizer
When the default admin user is disabled, the Enable De-Anonymization Password section is hidden (on the Pseudonymization tab), on the Configuration page (if the Pseudonymization feature is enabled in the license serial key), and if the Enable de-anonymization request approval using password checkbox is selected when disabling the default admin user, then this feature still functions as normal.
NOTE: Deselecting the checkbox (and changing the de-anonymization password) is not possible if the default admin user is disabled.
b) Syteca Tray Notifications Application
When the default admin user is disabled, logging in to (and therefore using) the Tray Notifications Application is not possible.
c) Syteca API Data Connector
When the default admin user is disabled, the API key of the default admin user can no longer be used for API requests. The API key of a user in the default Administrators user group needs to be used instead.
NOTE: The Data Connector (v. 1.9) can currently only be installed using the credentials of the default admin user, so installation is not possible if the default admin user is disabled.
d) Account Discovery
When the default admin user is disabled, if they were added to the Send email notifications about new accounts found to field in an Account Discovery rule, then they are deleted from this field and no longer receive receives email notifications.
e) Multi-Tenant Mode
When the default admin user is disabled, the default "admin” username is no longer displayed for the Built-in default tenant (in the Tenant Admin column) on the Tenants page.