Setting agent privileges v9

By default, the PEM agent is installed with root privileges for the operating system host and superuser privileges for the database server. These privileges allow the PEM agent to invoke unrestricted probes on the monitored host and database server about system usage, retrieving and returning the information to the PEM server.

Root user versus non-root user

PEM functionality lessens as the privileges of the PEM agent decrease. For complete functionality, run the PEM agent as root. If the PEM agent runs under the database server's service account, PEM probes don't have complete access to the statistical information used to generate reports, and functionality is limited to the capabilities of that account. If the PEM agent runs under another lesser-privileged account, functionality is limited even further.

Feature nameWorks with root userWorks with non-root userWorks with remote PEM agent
Audit ManageryesThe Audit Log Manager might not be able to apply requested modifications if the service can't be restarted. The user running the PEM agent might be different from the user who owns the data directory of the database server. Thus the user running the PEM agent might not be able to change the configuration and also might not be able to restart the services of the database server.no
Capacity Manageryesyesyes

Note: There's no correlation between the database server and operating system metrics
Log ManageryesThe Log Manager might not be able to apply requested modifications if the service can't restart. The user running the PEM agent might be different from the user who owns the data directory of the database server. Thus the user running the PEM agent might not be able to change the configuration and also might not be able to restart the services of the database server.no
Manage Alertsyesyesyes

Note: When Run Alert Script on the database server is selected, it runs on the machine where the bound PEM agent is running and not on the actual database server machine.
Manage Chartsyesyesyes
Manage DashboardsyesSome dashboards might not be able to show complete data. For example, columns such as swap usage, CPU usage, IO read, and IO write appear as 0 in the session activity dashboard.Some dashboards might not be able to show complete data. For example, the operating system information of the database server doesn't appear as not available.
Manage ProbesyesSome of the PEM probes don't return information, and some of functionality might be affected.Some of the PEM probes don't return information, and some of the functionality might be affected.
Postgres ExpertyesThe Postgres Expert can access the configuration expert and schema expert but not the security expert.The Expert provides partial information, as operating system information isn't available.
Postgres Log Analysis ExpertyesThe Postgres Log Analysis Expert might not be able to do the analysis, as it depends on the logs imported by Log Manager, which doesn't work as required.The Postgres Log Analysis Expert can't do the analysis, as it depends on the logs imported by Log Manager, which doesn't work as required.
Scheduled TasksyesFor Linux, if the user is the same as batch_script_user in agent.cfg, then the shell script runs.Scheduled tasks work only for the database server. Scripts run on a remote agent.
Tuning WizardyesThe Tuning Wizard can't run if the service can't restart. The user running the PEM agent might be different from the user who owns the data directory of the database server. Thus the user running the PEM agent might not be able to change the configuration and also might not be able to restart the services of the database server.no
System Reportsyesyesyes
Core Usage ReportsyesyesThe Core usage report doesn't show complete information. For example, the platform, number of cores, and total RAM aren't displayed.
Managing BARTyesBART and the BART scanner might not be able to start or reload.no

Note: BART requires passwordless authentication between two machines where database server and BART are installed.

Functionality affected by limiting operating system privileges

If you limit the operating system privileges of the PEM agent, some of the PEM probes don't return information, and the following functionality might be affected.

Note

The list isn't comprehensive but provides an overview of the type of functionality that's limited.

Probe or actionOperating systemPEM functionality affected
Data And Logfile AnalysisLinux/ WindowsThe Postgres Expert can't access complete information.
Session InformationLinuxThe per-process statistics are incomplete.
PG HBALinux/ WindowsThe Postgres Expert can't access complete information.
Service restart functionalityLinux/ WindowsThe Audit Log Manager, Server Log Manager Log Analysis Expert, and PEM might not be able to apply requested modifications.
Package DeploymentLinux/ WindowsPEM can't run downloaded installation modules.
Batch TaskWindowsPEM can't run scheduled batch jobs in Windows.
Collect data from server (root access required)Linux/ WindowsColumns such as swap usage, CPU usage, IO read, IO write appear as 0 in the session activity dashboard.

Functionality affected by limiting database privileges

If you restrict the database privileges of the PEM agent, the following PEM functionality might be affected:

ProbeOperating systemPEM functionality affected
Audit Log CollectionLinux/WindowsPEM receives empty data from the PEM database.
Server Log CollectionLinux/WindowsPEM can't collect server log information.
Database StatisticsLinux/WindowsThe Database/Server Analysis dashboards contain incomplete information.
Session Waits/System WaitsLinux/WindowsThe Session/System Waits dashboards contain incomplete information.
Locks InformationLinux/WindowsThe Database/Server Analysis dashboards contain incomplete information.
Streaming ReplicationLinux/WindowsThe Streaming Replication dashboard doesn't display information.
Slony ReplicationLinux/WindowsSlony-related charts on the Database Analysis dashboard don't display information.
Tablespace SizeLinux/WindowsThe Server Analysis dashboard doesn't display complete information.
xDB ReplicationLinux/WindowsPEM can't send xDB alerts and traps.

Error handling

If the probe is querying the operating system without enough privileges, the probe might return a permission denied error. If the probe is querying the database without enough privileges, the probe might return a permission denied error or display the returned data in a PEM chart or graph as an empty value.

When a probe fails, an entry is written to the log file that contains the name of the probe, the reason the probe failed, and a hint that helps you resolve the problem.

You can view probe-related errors that occurred on the server in the Probe Log dashboard or review error messages in the PEM worker log files. On Linux, the default location of the log file is:

/var/log/pem/worker.log

On Windows, log information is available on the Event Viewer.