Defining access policies

The Access Management panel provides an administrative suite for governing how users connect to the cluster and what global privileges they hold. This interface centralizes the security configurations typically managed via command-line configuration files.

Auditing authentication firewall

Use the pg_hba.conf tab to monitor the active rules that determine who can connect to your database and from where.

• Identify security vulnerabilities: Review the Trust Rules count in the header. A high number indicates rules that allow passwordless access. WarehousePG Enterprise Manager (WEM) will display a warning if this count is excessive, signaling a need to transition those rules to scram-sha-256 or md5 authentication.
• Verify connection pathways: Audit the pg_hba.conf Entries table to ensure that only authorized CIDR address ranges are permitted. Look for explicit reject rules that you have implemented to block known unauthorized subnets.
• Reload configurations: If you have made changes to the configuration files, use the Reload Config button in the header. This sends a SIGHUP signal to the database engine, applying the rules immediately without interrupting active user sessions.

Auditing cluster identities and privileges

Use the Roles tab to monitor the security posture of your user landscape and enforce the "principle of least privilege".

• Minimize superuser counts: Check the Superusers metric in the header. This count must be kept to an absolute minimum. If it increases unexpectedly, audit the database roles table to identify which accounts were granted unrestricted access.
• Manage login capabilities: Compare the Total roles to Login roles. Roles without login privileges are typically group roles used for permission inheritance. Ensure that individual human users are the only ones with active login attributes.
• Review global attributes: Inspect the Attributes column in the Database Roles table to verify who can perform sensitive actions like CREATEDB (creating databases) or CREATEROLE (modifying other users). Monitor the connection limit to prevent any single role from exhausting the cluster's session pool.

Auditing system settings

Use the System Settings tab to audit the current operational thresholds and performance tunings of your cluster.

• Search for performance thresholds: Use the searchable interface to find specific parameters. Review categories like Resource Usage or Memory to verify that your tunings match the current workload requirements.
• Identify current values and units: Check the Value and Unit columns to ensure that settings like statement_timeout are configured correctly to prevent runaway queries from impacting the system.

Modifying authentication rules

Use the HBA Editor tab to update your connection rules without leaving the management console.

• Add or reorder rules: Use the interactive interface to define new type, database, user, and method combinations. Remember that pg_hba.conf is parsed sequentially; ensure your more specific rules are placed above more general ones.
• Commit changes safely: After making edits, use the Save Changes button to store them in the WEM interface. To make them live, select Reload Config—this will back up the existing file on the coordinator before overwriting it with your new configuration.
• Revert edits: If you make a mistake before committing, use the Reload File button to discard your current edits and pull the live version of the file back into the editor.