The manager is a standard application software and does not require privileged access to operating system features. The manager service can operate fully when running under a non-privileged operating system user.
To work with the repository, the manager needs a separate database where service information is stored. Also, the DBMS user with the following rights is required:
The right to LOGIN to the instance.
The repository database rights:
the ownership of the database
the right to connect to the database
no restrictions on access rights within the database (to perform migrations in the data schema)
The agent is a standard application software that requires the following for full operation:
access to operating system features
access to the managed DBMS instance
To implement most features, the agent only requires the access level of a non-privileged operating system user. There is a small number of features that require privileged access. To maintain this functionality, additional system configuration and granting of the necessary rights are required. Without the configuration and privileges, the agent cannot perform operations, which adversely affects PPEM functionality. It is recommended to complete all necessary configurations before running the agent.
Access to the managed DBMS instance can be divided into the following parts:
Access to files and directories of the DBMS instance, which is provided using operating system access levels. The user on whose behalf the agent is running must have access to the main data directory.
By default, the main data directory is initialized by the
postgres owner with
0600 rights, so most DBMS installations
restrict access to this configuration. Therefore, the
optimal operational approach is to run the agent under the
postgres system user.
Access to the SQL interface of the DBMS instance, for which the agent requires the DBMS user with the following rights:
the right to LOGIN to the instance
the right to connect to all instance databases
the membership of the pg_monitor and
pg_signal_backend roles