The Super Admin role is a predefined administrative role and the only role with full administrative permission for the entire deployment. A Super Admin can:
- Delegate roles to all other administrators.
- Create the security domain hierarchy.
The Super Admin is created during deployment. Only a Super Admin can perform certain critical tasks. A deployment must have at least one Super Admin.
If a Super Admin is deleted, use the Super Admin Restoration utility, restore-admin, to create a new Super Admin. RSA recommends that you assign the Super Admin role to only the most trusted administrators.
You need to restore a Super Admin if any of the following conditions exist:
- The sole Super Admin has been deleted from the deployment.
- No users have been assigned the Super Admin role.
- The sole Super Admin has been locked out.
If a Super Admin has been locked out, recovery can occur in any of the following ways:
- Another Super Admin can manually unlock the Super Admin.
- If the lockout policy that applies to the Super Admin allows auto-unlock, you can wait for lockout to expire.
If the previous methods fail, use the Super Admin Restoration utility. For instructions, see Restore the Super Admin.