Protegrity SDK Upgrade Permissions and Deployment
Lists user or group configuration, file and folder permissions, and deployment steps.
Overview
Protegrity deployments include the following components:
- Upgrade Agent
- Application Protector (AP) Java SDK
- Resilient Package (RP) Agent
- Log Forwarder
It requires a structured permission model to ensure that only authorized users can access protected resources. The permissions define the ability to execute, read, or modify protected resources. This section provides recommended user and group configurations, file and folder permissions, and step‑by‑step deployment guidance for a common use case.
1 - User Roles and Groups
Details about user roles and groups for a common setup.
Groups
| Group | Purpose | Example |
|---|
| Admin group | Users who manage the Upgrade Agent, RPAgent, and Log Forwarder. This group is always required. | ptyadmin |
| SDK users group | AP Java users who run applications using the SDK. | ptyusers |
User Configuration Examples
| User | Primary Group | Purpose |
|---|
ptyadmin | ptyadmin | Admin user who can install and run Upgrade Agent, RPAgent, Log Forwarder, and AP Java. |
ptyuser1, ptyuser2, and so on | ptyadmin | AP Java user who can run application using the SDK. |
User and Group Setup Commands
This section provide commands to create users and groups on Linux.
sudo groupadd ptyadmin
sudo useradd -m -g ptyadmin ptyadmin
sudo useradd -m -g ptyadmin ptyuser1
Here, ptyuser1 uses ptyadmin as the primary group. PID files are created with the following ownership:
The Upgrade Agent can read the files with this permission automatically.
2 - Component Overview
Details about ownership of all Protegrity components.
All Protegrity components are owned and primarily run by the ptyadmin user. The following table lists the components and their ownership.
| Component | Description | Owner or User* | Who Runs It |
|---|
| Upgrade Agent | Upgrades and rolls back Protegrity components. | ptyadmin | ptyadmin user |
| AP Java SDK | Java libraries used by applications to protect and unprotect data. | ptyadmin | User (ptyuser1) in the ptyadmin group. |
| RPAgent | Downloads and keeps security policy packages in sync. | ptyadmin | ptyadmin user |
| Log Forwarder | - Collects logs and forwards them to the ESA.
- It is based on Fluent Bit. | ptyadmin | ptyadmin user |
* - All components are owned by ptyadmin.
The 10.0.gpg file is used by the Upgrade Agent for signature verification. However, it is not a part of the product build. Complete the following steps.
- Copy it manually from the ESA machine.
- Place it in
upgrader/bin/. - Set permissions to
640.
3 - Recommended File and Folder Permissions
List of permissions required for users and groups, core components, and files.
This section explains the required users and groups, core components, and recommended file permissions for running Protegrity Upgrade Agent and the AP Java SDK securely on Linux systems.
Note: The user running the Upgrade Agent must own the extracted old SDK build used for the upgrade. If a local path is configured in sdkupgrd.conf, the user must also own the downloaded new build.
The following tables describe which users can access specific directories under the Upgrade Agent installation and explain why these permissions are required.
ptyadmin - Admin user who owns and manages the Upgrade Agent, RPAgent, and Log Forwarder.ptyuser1 - AP Java application user.
Upgrader Agent
The Upgrade Agent is always installed under /opt/protegrity/upgrader/.
| Path | Owner:Group | Mode | Notes |
|---|
/opt/protegrity/ | ptyadmin:ptyadmin | 751 | Allows users to traverse into subdirectories without listing the contents of /opt/protegrity. |
upgrader/ | ptyadmin:ptyadmin | 750 | - |
upgrader/bin/ | ptyadmin:ptyadmin | 750 | - |
upgrader/bin/sdkupgrd | ptyadmin:ptyadmin | 700 | Ensures upgrades and rollbacks can be initiated only by ptyadmin. |
upgrader/data/ | ptyadmin:ptyadmin | 750 | - |
upgrader/data/metadata.ini | ptyadmin:ptyadmin | 660 | Enables the SDK to read and update active version information required for upgrade coordination. |
upgrader/data/sdkupgrd.conf | ptyadmin:ptyadmin | 660 | - |
upgrader/logs/ | ptyadmin:ptyadmin | 770 | Allows SDK users to create and write log files during runtime and upgrades. |
upgrader/active_processes/ | ptyadmin:ptyadmin | 770 | Allows SDK users to create PID files so the Upgrade Agent can detect running processes. |
upgrader/backup/ | ptyadmin:ptyadmin | 750 | Stores backup and rollback data. |
AP Java SDK
| Path | Owner:Group | Mode | Notes |
|---|
sdk/ | ptyadmin:ptyadmin | 750 | Grants AP Java users read and execute access to the SDK. |
sdk/java/lib/ | ptyadmin:ptyadmin | 750 | Contains SDK JARs and native libraries. |
sdk/java/lib/ApplicationProtectorJava.jar | ptyadmin:ptyadmin | 640 | Read‑only access for AP Java users. |
sdk/java/lib/jcorelite.plm | ptyadmin:ptyadmin | 640 | Native library used by the SDK runtime. |
sdk/java/data/ | ptyadmin:ptyadmin | 750 | SDK configuration directory. |
sdk/java/data/config.ini | ptyadmin:ptyadmin | 640 | SDK configuration file. Read‑only access for AP Java users. |
RPAgent
| Path | Owner:Group | Mode | Notes |
|---|
rpagent/ | ptyadmin:ptyadmin | 755 | Allows read and execute access without exposing writable permissions. |
rpagent/bin/rpagent | ptyadmin:ptyadmin | 750 | RPAgent runtime binary. |
rpagent/bin/rpagentctrl | ptyadmin:ptyadmin | 750 | RPAgent control script. |
rpagent/data/rpagent.cfg | ptyadmin:ptyadmin | 640 | RPAgent configuration file. |
Log Forwarder
| Path | Owner:Group | Mode | Notes |
|---|
logforwarder/ | ptyadmin:ptyadmin | 755 | Allows read and execute access without write permissions. |
logforwarder/bin/fluent-bit | ptyadmin:ptyadmin | 750 | Log Forwarder runtime binary. |
logforwarder/bin/logforwarderctrl | ptyadmin:ptyadmin | 750 | Log Forwarder control script. |
logforwarder/data/logforwarder.conf | ptyadmin:ptyadmin | 640 | Log Forwarder configuration file. |