Description:
The installer can create a database agent, but it grants more privileges than needed.

mysql> SHOW GRANTS FOR 'agent'@'localhost'\G
*************************** 1. row ***************************
Grants for agent@localhost: GRANT SELECT, PROCESS, SHOW DATABASES, SUPER, REPLICATION CLIENT ON *.* TO 'agent'@'localhost' IDENTIFIED BY PASSWORD '*PASSWORD_HASH'
*************************** 2. row ***************************
Grants for agent@localhost: GRANT SELECT, INSERT, CREATE ON `mysql`.* TO 'agent'@'localhost'
2 rows in set (0.00 sec)

mysql> SHOW GRANTS FOR 'agent'@'%'\G
*************************** 1. row ***************************
Grants for agent@%: GRANT SELECT, PROCESS, SHOW DATABASES, SUPER, REPLICATION CLIENT ON *.* TO 'agent'@'%' IDENTIFIED BY PASSWORD '*PASSWORD_HASH'
*************************** 2. row ***************************
Grants for agent@%: GRANT SELECT, INSERT, CREATE ON `mysql`.* TO 'agent'@'%'
2 rows in set (0.00 sec)

Rules triggered by the created accounts:
- Account Has Strong MySQL Privileges
- Non-Authorized User Has Server Admin Privileges
- Non-Authorized User Has DB, Table, Or Index Privileges On All Databases

Bug #41866 is dealing with the SUPER privilege which is granted to the agent.

How to repeat:
1. Install the MEM agent and let the installer create the database account.

Suggested fix:
Change 'agent'@'%' to 'agent'@'127.0.0.1'

I've tested this with skip_name_resolve set.

Data collections like privileges_on_all_dbs should automatically ignore the mysql agent user OR the mysql agent user should only get privileges on selected databases.

Thank you for the problem report.

The privileges are now handled very differently with a 3.0 agent, and we only use SUPER when necessary. There are other bugs around not tracking the agent user with these particular rules as well. Closing.