For administration of Tufin SecureTrack and Tufin SecureChange you need at least one administrative account. This account must not be lost and the password must not be forgotten. If it is forgotten, there is a way to reset the admin account if CLI access is possible as root.

SecureChange / SecureApp

It's not possible to create a new user, so a reset of the user "admin" is done. Resetting the admin account requires access to the correct pod in the Kubernetes Cluster. You need to enter the pod, then use a command and leave the pod afterwards: 

# kubectl exec -it deploy/sc-server -- bash
pod$> scw reset-admin
pod$> exit
# 

This procedure resets the admin account to the password "admin", so access with admin/admin ist possible. For sure, the password admin needs to be changed at the next login.

SecureTrack

The procedure shown for SecureChange doesn't work for SecureTrack. But there is a command that will allow you to define a new local (administrative) user. As before, you need to configure it via the correct pod. After calling the command, the needed information is requested by the system. 

# kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r add_st_admin_user
Username: <user>
Password: <pass>
Confirm Password: <pass>
Admin user <user> is added.
#

After having finished the command, a new user with permissions "administrator" is known in SecureTrack. As usual, the system requires a password change at the first login. 
It's not reasonable to add a person with the permissions of "user" to the system, because it's possible with the newly created admin user after login.