JMX Resources (MBeans) for DSE utilities

After enabling Java Management Extensions (JMX) authentication, DataStax Enterprise (DSE) utilities and other third-party tools require MBean access to execute commands. The tools use JMX MBeans to remotely gather information and execute requests.

Access is controlled using modelled hierarchy. Granting and revoking a privilege on a top level object automatically allows the same permission on all ancestors.

MBeans have the following modelled hierarchy for access control:

cql mbean hierarchy

MBREAD, MBWRITE, and equivalents are deprecated.

Synopsis

Use the following syntax to grant access:

  • ALL MBEANS

    GRANT <permission>[, <permission> ...]
ON ALL MBEANS
TO <role_name>;

    where permissions are ALL PERMISSIONS, DESCRIBE, EXECUTE, MODIFY, and SELECT.

  • MBEANS <pattern>

    GRANT <permission>[, <permission> ...]
ON MBEANS '<class_name>:name=<value>,type=<value>'
TO <role_name>;

    where DSE supports wildcard characters in the value name to match one or more MBeans and permissions are ALL PERMISSIONS, DESCRIBE, EXECUTE, MODIFY, and SELECT.

  • MBEAN <name>

    GRANT <permission>[, <permission> ...]
ON MBEAN '<class_name>:name=<value>,type=<value>'
TO <role_name>;

    where permissions are ALL PERMISSIONS, DESCRIBE, EXECUTE, MODIFY, and SELECT.

  • Revoke permissions syntax:

    REVOKE <permission_name>
ON <resource>
FROM <role_name>;

Permission matrix

Privilege Resource Permissions

ALL PERMISSIONS

ALL MBEANS

All operations that are applicable on all MBEANS.

ALL PERMISSIONS

MBEAN <name>

All operations that are applicable on the MBEAN.

ALL PERMISSIONS

MBEANS <pattern>

All operations that are applicable on MBEANS that match the wildcard pattern.

DESCRIBE

ALL MBEANS

Use MBQUERYNAMES or MBINSTANCEOF to retrieve information about any mbean.

DESCRIBE

MBEAN <name>

Use MBQUERYNAMES or MBINSTANCEOF to retrieve information about a named mbean.

DESCRIBE

MBEANS <pattern>

Use MBQUERYNAMES or MBINSTANCEOF to retrieve information about any mbean matching a wildcard pattern.

EXECUTE

ALL MBEANS

Use MBEXECUTE or MBINVOKE on any mbean.

EXECUTE

MBEAN <name>

Use MBEXECUTE or MBINVOKE on named mbean.

EXECUTE

MBEANS <pattern>

Use MBEXECUTE or MBINVOKE on any mbean matching a wildcard pattern.

MODIFY

ALL MBEANS

Call MBSET on any mbean.

MODIFY

MBEAN <name>

Call MBSET on named mbean.

MODIFY

MBEANS <pattern>

Call MBSET on any mbean matching a wildcard pattern.

SELECT

ALL MBEANS

Use MBGET on any mbean.

SELECT

MBEAN <name>

Use MBGET on named mbean.

SELECT

MBEANS <pattern>

Use MBGET on any mbean matching a wildcard pattern.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com