Break glass Admin Access Setup

Identity Security Cloud (ISC) ISC Discussion and Questions
1

As per the process, we are planning to use a break glass admin account in SailPoint for emergency access purposes. Below is our proposed setup:

Clarifications Requested:

  1. what is SailPoint best practices for managing break glass administrative access?
  2. We’ve observed that during the login, SailPoint prompts for MFA registration via an Authenticator App, which is not feasible for a shared account. Is there a supported way to bypass or handle this step specifically for break glass accounts?
2

Hi @dipali_ankush_dhonde,

I haven’t seen a best practice documentation around using the break glass account in ISC.

You can consider creating break glass accounts for a couple of the Admin team members and setting the MFA in their personal devices.

Else if you are using a shared account, consider setting up the TOTP in your manager’s device for an added layer of protection.

3

As @jesvin90 mentioned that would go or another approach is to have a separate emergency access process that includes temporary access grants with MFA tied to individual users, not shared accounts.
You can also configure conditional access policies outside SailPoint to allow limited bypass only during emergencies.But that would be a lot of efforts.

Thanks
Manvitha