Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Bug]: Cross-organization ListUserMetadata doesn't work, but SetUserMetadata does #10925

@dataviruset

Description

@dataviruset

Preflight Checklist

  • I could not find a solution in the documentation, the existing issues or discussions
  • I have joined the ZITADEL chat

Environment

Self-hosted

Version

4.4.0

Database

PostgreSQL

Database Version

No response

Describe the problem caused by this bug

Listing user metadata from another organization doesn't work with the Org User Manager permission (organization-level permissions), but setting user metadata works.
It works if I change to IAM User Manager (Zitadel instance-level permissions).

To reproduce

Organization A and B
Organization A is ZITADEL, the default organization
In organization A, I created a service account SA1 with a PAT $mytoken
User 1234 is in organization B
I added SA1 as a Org User Manager in organization B
But listing user metadata still fails:

grpcurl -v -d '{"user_id": "1234"}' -H "authorization: Bearer $mytoken" zitadel.example.com:443 zitadel.user.v2.UserService/ListUserMetadata

Resolved method descriptor:
rpc ListUserMetadata ( .zitadel.user.v2.ListUserMetadataRequest ) returns ( .zitadel.user.v2.ListUserMetadataResponse ) {
  option (.google.api.http) = {
    post: "/v2/users/{user_id}/metadata/search",
    body: "*"
  };
  option (.grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { responses: [ { key: "200", value: { } } ] };
  option (.zitadel.protoc_gen_zitadel.v2.options) = { auth_option: { permission: "user.read" } };
}

Request metadata to send:
authorization: Bearer redacted

Response headers received:
content-type: application/grpc
date: Fri, 17 Oct 2025 14:03:08 GMT
referrer-policy: strict-origin-when-cross-origin
server: CloudFront
strict-transport-security: max-age=31536000
vary: Origin
via: 1.1 redacted.cloudfront.net (CloudFront)
x-amz-cf-id: redacted
x-amz-cf-pop: redacted
x-cache: Miss from cloudfront
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-robots-tag: none
x-xss-protection: 1; mode=block

Response trailers received:
grpc-status-details-bin: CAUSIm1lbWJlcnNoaXAgbm90IGZvdW5kIChBVVRIWi1jZGdGaykaUQoqdHlwZS5nb29nbGVhcGlzLmNvbS96aXRhZGVsLnYxLkVycm9yRGV0YWlsEiMKC0FVVEhaLWNkZ0ZrEhRtZW1iZXJzaGlwIG5vdCBmb3VuZA==
Sent 1 request and received 0 responses
ERROR:
  Code: NotFound
  Message: membership not found (AUTHZ-cdgFk)
  Details:
  1)	{
    	  "@type": "type.googleapis.com/zitadel.v1.ErrorDetail",
    	  "id": "AUTHZ-cdgFk",
    	  "message": "membership not found"
    	}

It works if I set the IAM User Manager role for my service account SA1 in the default organization.
Weirdly, setting user metadata works with the Org User Manager in organization B:

grpcurl -v -d '{"user_id": "1234", "metadata":[{"key":"foo","value":"YmFy"}]}' -H "authorization: Bearer $mytoken" zitadel.example.com:443 zitadel.user.v2.UserService/SetUserMetadata

Resolved method descriptor:
rpc SetUserMetadata ( .zitadel.user.v2.SetUserMetadataRequest ) returns ( .zitadel.user.v2.SetUserMetadataResponse ) {
  option (.google.api.http) = {
    post: "/v2/users/{user_id}/metadata",
    body: "*"
  };
  option (.grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
    responses: [
      { key: "200", value: { } },
      {
        key: "400",
        value: { description: "User not found" }
      }
    ]
  };
  option (.zitadel.protoc_gen_zitadel.v2.options) = { auth_option: { permission: "authenticated" } };
}

Request metadata to send:
authorization: Bearer redacted

Response headers received:
cache-control: no-store
content-type: application/grpc
date: Fri, 17 Oct 2025 14:02:53 GMT
expires: Fri, 17 Oct 2025 14:02:53 GMT
pragma: no-cache
referrer-policy: strict-origin-when-cross-origin
server: CloudFront
strict-transport-security: max-age=31536000
vary: Origin
via: 1.1 redacted.cloudfront.net (CloudFront)
x-amz-cf-id: redacted
x-amz-cf-pop: redacted
x-cache: Miss from cloudfront
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-robots-tag: none
x-xss-protection: 1; mode=block

Response contents:
{
  "setDate": "2025-10-17T14:02:53.166071Z"
}

Response trailers received:
(empty)
Sent 1 request and received 1 response

Screenshots

No response

Expected behavior

Listing user metadata should work

Operating System

No response

Relevant Configuration

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingservice-layerv2 APIapi versionv4The issue is related to a v4.x release

    Type

    Projects

    Status

    📋 Sprint Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions