> ## Documentation Index
> Fetch the complete documentation index at: https://docs.luumen.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Prerequisites

> Patch server requirements, network access, and the OS-level permissions the agent's service user needs on Linux and Windows.

Before an Apiphani engineer installs the agent, your team needs to provide a Patch server, confirm network access, and prepare a service user with the right permissions on each managed host. This page lists every prerequisite.

## Patch server

The Patch server is the host that runs the Luumen agent. You need exactly one per Luumen client.

| Requirement      | Details                                                                                       |
| ---------------- | --------------------------------------------------------------------------------------------- |
| Operating system | Linux (any modern distribution with `systemd`) or Windows Server                              |
| CPU and memory   | Modest — the agent is lightweight. 2 vCPU / 4 GB RAM is sufficient for hundreds of hosts.     |
| Disk             | A few GB for the binary and rolling logs (`log_retention_days` defaults to 30)                |
| Network          | Outbound HTTPS to the Luumen API. Outbound SSH or WinRM to every managed host.                |
| Access           | A service user with permission to execute the agent binary and read its config and key files. |

The Patch server should be a stable host that is not regularly rebuilt or rotated. The agent runs as a system service, so the server needs to stay up to keep the dashboard current.

## Network access

The Patch server must be able to reach:

* The Luumen API base URL configured in `config.yaml` (HTTPS, default port 443).
* Every managed host over SSH (port 22) or WinRM (port 5985 for HTTP, 5986 for HTTPS).

You can verify outbound API access from the Patch server with a quick `curl`:

```bash theme={null}
curl -H "api-key: YOUR_API_KEY_HERE" "https://ns2-api.apiphani.io/v2/api/v1/config"
```

A successful response confirms network access and a valid API key. See [Troubleshooting](/enterprise/troubleshooting/common-issues#agent-fails-to-execute) if the request hangs or returns an error.

## Service user permissions

The agent runs as a dedicated service user on the Patch server, and authenticates to each managed host as a user you control on that host. The required permissions vary by platform.

<Note>
  The permissions below cover the agent's current data collection. As new properties are added, the required permissions can change. We'll document changes here and notify customers ahead of upgrades that require new permissions.
</Note>

### Linux

The service user on each Linux host needs `sudo` access to the following commands for standard OS data collection:

| Command                     | Why the agent needs it                                           |
| --------------------------- | ---------------------------------------------------------------- |
| `dmidecode`                 | Reads DMI tables for hardware detection (vendor, model, serials) |
| `getenforce`                | Queries SELinux status                                           |
| `tuned-adm`                 | Queries the `tuned` daemon for active performance profile        |
| `/var/spool/cron/tabs/root` | Reads root's crontab for scheduled-job inventory                 |

Application-specific properties may require additional read permissions on the relevant directories. If you've enabled the SAP integration, for example, the service user needs broad read access to SAP files under the SAP user's directories — the exact paths are determined during white-glove setup. See [SAP integration](/enterprise/integrations/sap).

### Windows

On Windows hosts, the service user needs the following access types:

| Access                   | Why the agent needs it                                                                      |
| ------------------------ | ------------------------------------------------------------------------------------------- |
| Registry access          | Reads application data and installed software metadata                                      |
| WMI queries              | Runs `Get-CimInstance` and `Get-WmiObject` to collect OS, memory, CPU, and swap information |
| Process and service info | Runs `Get-Process` and `Get-Service` for service inventory                                  |

## Patch server service user

The user that runs the agent binary on the Patch server itself also needs:

* Execute permission on the agent binary (`chmod +x` on Linux).
* Read permission on `config.yaml` and any SSH private keys referenced in the host list.
* `sudo` access on the Patch server when installing the agent as a service (during the install command only).
* If using HashiCorp Vault: a way to provide the Vault token, typically the `VAULT_TOKEN` environment variable.

## What Apiphani handles

The white-glove install covers everything beyond providing the Patch server and the service user:

* Downloading and placing the agent binary.
* Writing the initial `config.yaml`.
* Installing the agent as a service and verifying the first scheduled run.
* Configuring the remote agent config (host list, default credentials) in the Luumen UI.
* For self-hosted deployments, provisioning the Luumen API and web app.

See [White-glove setup](/enterprise/installation/white-glove-setup) for what Apiphani needs from your team to get started.
