- 1 minutes to read

What permissions does the Monitoring Agent need on WSO2 servers?

Minimum access is enough: JMX read access for WSO2 Enterprise Integrator or Management API access for WSO2 Micro Integrator. This FAQ explains the permissions that the monitoring agent needs and the permissions it does not need.

Minimum Permissions

The monitoring agent connects over the network. It does not need an operating system account on the WSO2 server, SSH keys, filesystem access, or database access.

WSO2 Enterprise Integrator

WSO2 Enterprise Integrator monitoring uses JMX on port 9999. Remote Actions that call management endpoints over HTTPS on port 9443 need admin credentials.

WSO2 Micro Integrator

WSO2 Micro Integrator monitoring uses the Management API on port 9164. The agent authenticates with the credentials configured in deployment.toml.

Security Best Practice

Create a dedicated nodinite-monitor account, restrict network access to the required ports, and rotate admin credentials on a regular schedule. That security best practice limits exposure while still supporting monitoring and Remote Actions.

Next Steps

  • FAQ - Carbon Credentials — Review when admin credentials are optional and when they are required.
  • POC — Validate permissions and network access in a proof of concept.