We are using sp_monitorconfig in our code. According to this doc
we need either manage server privilege or user with sa_role to run it. Providing this is bit risky. Are there any roles with lesser risk that can we can provide to the user since we are trying to create a read only user?
There is a way to allow other users to run sp_monitor config through a wrapper procedure that uses a hidden password-activated role to temporarily grant sa_role so that they can execute sp_monitorconfig (or whatever else the wrapper procedure is written to let them do) but not anything else.
See http://www.sypron.nl/grant_sa.html for details.