Defining access policies

Govern how users connect to the cluster and manage global privileges through a centralized administrative suite. The Access Management panel on the left sidebar allows you to configure security rules and system thresholds that are typically managed via command-line configuration files.

Governing authentication rules and the cluster firewall

Monitor the rules that determine who can connect to the database and from where using the pg_hba.conf tab.

• Review the Trust Rules count in the header. A high number indicates rules that allow passwordless access. You must transition these rules to scram-sha-256 or md5 authentication on the database server to secure the cluster.
• Audit the pg_hba.conf Entries table to ensure that only authorized CIDR address ranges are permitted. Look for explicit reject rules that you have implemented to block known unauthorized subnets.
• Apply configuration changes after manual edits by selecting the Reload Config button in the header. This sends a SIGHUP signal to the database engine to apply the rules immediately without interrupting active user sessions.

Managing cluster identities and global privileges

Enforce the principle of least privilege and monitor the security posture of your user landscape using the Roles tab.

• Monitor the Superusers metric in the header to ensure unrestricted access is kept to an absolute minimum. If this count increases, audit the Database Roles table to identify which accounts were granted unrestricted access.
• Compare the Total Roles to Login Roles to identify active users versus group roles. You must ensure that individual human users or service accounts have active login attributes.
• Inspect the Attributes column in the Database Roles table to verify which roles can perform sensitive actions like CREATEDB or CREATEROLE. Monitor the connection limit to prevent any single role from exhausting the cluster session pool.

Auditing system settings

Verify the operational thresholds and performance tunings of your cluster with the System Settings tab.

• Use the search interface to find specific parameters. Review categories like Resource Usage or Memory to verify that your tunings match the current workload requirements.
• Check the Value and Unit columns to ensure that settings like statement_timeout are configured correctly to prevent runaway queries from impacting the system.

Modifying authentication rules

Update your connection rules without leaving the management console with the HBA Editor tab.

• Use the interactive interface to define new type, database, user, and method combinations. Remember that pg_hba.conf is parsed sequentially; ensure your more specific rules are placed above more general ones.
• After making edits, use the Save Changes button to store them in the WEM interface. To make them live, select Reload Config to back up the existing file on the coordinator before overwriting it with your new configuration.
• If you make a mistake before committing, use the Reload File button to discard your current edits and pull the live version of the file back into the editor.