The management service component of Management Agent for WebSphere requires custom security permissions. PolicyAgentManagementService_<appsvr_profile_name>.ear contains a configuration file named was.policy, which grants these permissions to the management service application code:
Copyright © TIBCO Software Inc. All Rights Reserved.