PEM Agent Privileges v8
By default, the PEM agent is installed with root privileges for the operating system host and superuser privileges for the database server. These privileges allow the PEM agent to invoke unrestricted probes on the monitored host and database server about system usage, retrieving and returning the information to the PEM server.
Please note that PEM functionality diminishes as the privileges of the PEM agent decrease. For complete functionality, the PEM agent should run as root and on the same host as the database server.
- If the PEM agent is run under the database server's service account, PEM probes will not have complete access to the statistical information used to generate reports, and functionality will be limited to the capabilities of that account.
- If the PEM agent is run under another lesser-privileged account, functionality will be limited even further.
- If the PEM agent is installed on a different host and is monitoring the database server remotely, then the functionality will be limited.
| Feature Name | Works with root User | Works with non-root User | Works with remote PEM Agent |
|---|---|---|---|
| Audit Manager | yes | The Audit Log Manager may be unable to apply requested modifications if the service cannot be restarted. The user running PEM Agent may be different from the user who owns the data directory of the database server, so user running PEM Agent may not be able to change the configuration and also may not be able to restart the services of the database server. | no |
| Capacity Manager | yes | yes | yes NOTE: There will be no co-relation between the database server and operating system metrices |
| Log Manager | yes | The Log Manager may be unable to apply requested modifications if the service cannot be restarted. The user running PEM Agent may be different from the user who owns the data directory of the database server, so user running the PEM Agent may not be able to change the configuration and also may not be able to restart the services of the database server. | no |
| Manage Alerts | yes | yes | yes NOTE: When run alert script on the database server is selected, it will run on the machine, where bound PEM Agent is running, and not on the actual database server machine. |
| Manage Charts | yes | yes | yes |
| Manage Dashboards | yes | Some dashboards may not be able to show complete data. For example, columns such as swap usage, CPU usage, IO read, and IO write will be displayed as 0 in the session activity dashboard. | Some dashboards may not be able to show complete data. For example, the operating system information of the database server will not be displayed as not available. |
| Manage Probes | yes | Some of the PEM probes will not return information, and some of functionalities may be affected. For details about probe functionality, see the Agent privileges. | Some of the PEM probes will not return information, and some of the functionalities may be affected. |
| Postgres Expert | yes | The Postgres Expert will be able to access the configuration expert and schema expert, but not the security expert. | The Expert will provide partial information as operating system information is not available. |
| Postgres Log Analysis Expert | yes | The Postgres Log Analysis Expert may not be able to do the analysis as it is dependent on the logs imported by log manager, which will not work as required. | The Postgres Log Analysis Expert will not be able to do the analysis as it is dependent on the logs imported by log manager, which will not work as required. |
| Scheduled Tasks | yes | For Linux if user is the same as batch_script_user in agent.cfg then shell script will run. | Scheduled tasks will work only for database server; scripts will run on a remote Agent. |
| Tuning Wizard | yes | The Tuning Wizard will be unable to run if the service cannot be restarted. The user running PEM Agent may be different from the user who owns the data directory of the database server, so user running PEM Agent may not be able to change the configuration and also may not be able to restart the services of the database server. | no |
| System Reports | yes | yes | yes |
| Core Usage Reports | yes | yes | The Core Usage report will not show complete information. For example, the platform, number of cores, and total RAM will not be displayed. |
| Managing BART | yes | BART and the BART scanner may not be able to start/reload. | no NOTE: BART requires password less authentication between two machines, where database server and BART are installed. |