Introduction to the System Administrator

eReplication creates different system management users to implement rights- and domain-based management.

eReplication provides four default system management groups, as listed in Table 1.

**Table 1** Permissions of the default administrator group
User Role	Permission
administrator	Admin Role users. Have permissions for all eReplication operations except for configuring the admin and Admin Role users.
operator	Operator Role users. Such users have the following permissions: View and refresh resources and all operation permissions of the sites All operation permissions of the protected groups All operation permissions of the recovery plan All operation permissions of monitoring View on-line administrators, view and configure the system performance, all operation permissions of data maintenance, view and export system operation logs, notify server
auditor	Auditor Role users. Such users only have permissions to view operation logs dump, view and export system operation logs.
NBIRole	Users belonging to Third-Part System User Group. Such users only have permissions to view sites, protected group, view and execute recovery plan.

eReplication provides two default system administrators, as listed in Table 2.

**Table 2** Default Administrator Permissions
User Role	Permission
admin	Default administrator admin provided by the system. User admin has permissions for all operations on eReplication and cannot be deleted.
SyncAdmin	This user is used only for communication within the OceanStor BCManager eReplication service.

Rights- and domain-based management of eReplication and IP address restriction for accessing eReplication are implemented based on the configuration of administrators and administrator groups. The details are as follows:

An administrator group is a set of operation permissions. You can allocate an administrator to an administrator group to make the administrator to inherit the operation permissions of the group.
The system provides default administrator admin. admin has all operation permissions and can manage all resources. Note that admin cannot be modified. You can create an administrator and select an administrator group and resources for this administrator to implement the rights- and domain-based management of eReplication.
You can select the IP address segments that can access eReplication for an administrator to restrict IP addresses that access eReplication.

System security policies include the password policy, session timeout period, certificate authentication, login policy, and interface interconnection account login policy. The details are as follows:

A password policy defines the minimum length, complexity, validity period, and minimum validity period of a password for a system administrator.
The session timeout threshold refers to the period when it is exceeded the session between the system administrator and eReplication is interrupted. Any operations of the system administrator on the eReplication interface will make the timeout threshold counting start from 0 again.
If the system administrator does not perform any operation within the timeout threshold after logging in to eReplication, the current session is interrupted. If the system administrator needs to perform operations on eReplication after the interruption, it needs to log in to eReplication again.
Certificate authentication is used to control whether to enable digital certificate authentication. After certificate authentication is enabled, the certificates of the accessed services are verified to ensure that the services are secure and recognized by the system.
A login policy defines the maximum number of consecutive incorrect password attempts and lockout duration when a system administrator logs in to eReplication. When the number of consecutive incorrect password attempts reaches the threshold, the user is locked.
The login policy of the interface interconnection account is used to control whether to enable the policy of changing the password upon the first login of the interface interconnection account. This function is enabled by default. A new interface interconnection user can be used only after the password is changed.