-
Notifications
You must be signed in to change notification settings - Fork 840
Description
Preflight Checklist
- I could not find a solution in the documentation, the existing issues or discussions
- I have joined the ZITADEL chat
Environment
Self-hosted
Version
4.4.0
Database
PostgreSQL
Database Version
No response
Describe the problem caused by this bug
Listing user metadata from another organization doesn't work with the Org User Manager permission (organization-level permissions), but setting user metadata works.
It works if I change to IAM User Manager (Zitadel instance-level permissions).
To reproduce
Organization A and B
Organization A is ZITADEL, the default organization
In organization A, I created a service account SA1 with a PAT $mytoken
User 1234 is in organization B
I added SA1 as a Org User Manager in organization B
But listing user metadata still fails:
grpcurl -v -d '{"user_id": "1234"}' -H "authorization: Bearer $mytoken" zitadel.example.com:443 zitadel.user.v2.UserService/ListUserMetadata
Resolved method descriptor:
rpc ListUserMetadata ( .zitadel.user.v2.ListUserMetadataRequest ) returns ( .zitadel.user.v2.ListUserMetadataResponse ) {
option (.google.api.http) = {
post: "/v2/users/{user_id}/metadata/search",
body: "*"
};
option (.grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { responses: [ { key: "200", value: { } } ] };
option (.zitadel.protoc_gen_zitadel.v2.options) = { auth_option: { permission: "user.read" } };
}
Request metadata to send:
authorization: Bearer redacted
Response headers received:
content-type: application/grpc
date: Fri, 17 Oct 2025 14:03:08 GMT
referrer-policy: strict-origin-when-cross-origin
server: CloudFront
strict-transport-security: max-age=31536000
vary: Origin
via: 1.1 redacted.cloudfront.net (CloudFront)
x-amz-cf-id: redacted
x-amz-cf-pop: redacted
x-cache: Miss from cloudfront
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-robots-tag: none
x-xss-protection: 1; mode=block
Response trailers received:
grpc-status-details-bin: CAUSIm1lbWJlcnNoaXAgbm90IGZvdW5kIChBVVRIWi1jZGdGaykaUQoqdHlwZS5nb29nbGVhcGlzLmNvbS96aXRhZGVsLnYxLkVycm9yRGV0YWlsEiMKC0FVVEhaLWNkZ0ZrEhRtZW1iZXJzaGlwIG5vdCBmb3VuZA==
Sent 1 request and received 0 responses
ERROR:
Code: NotFound
Message: membership not found (AUTHZ-cdgFk)
Details:
1) {
"@type": "type.googleapis.com/zitadel.v1.ErrorDetail",
"id": "AUTHZ-cdgFk",
"message": "membership not found"
}
It works if I set the IAM User Manager role for my service account SA1 in the default organization.
Weirdly, setting user metadata works with the Org User Manager in organization B:
grpcurl -v -d '{"user_id": "1234", "metadata":[{"key":"foo","value":"YmFy"}]}' -H "authorization: Bearer $mytoken" zitadel.example.com:443 zitadel.user.v2.UserService/SetUserMetadata
Resolved method descriptor:
rpc SetUserMetadata ( .zitadel.user.v2.SetUserMetadataRequest ) returns ( .zitadel.user.v2.SetUserMetadataResponse ) {
option (.google.api.http) = {
post: "/v2/users/{user_id}/metadata",
body: "*"
};
option (.grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: [
{ key: "200", value: { } },
{
key: "400",
value: { description: "User not found" }
}
]
};
option (.zitadel.protoc_gen_zitadel.v2.options) = { auth_option: { permission: "authenticated" } };
}
Request metadata to send:
authorization: Bearer redacted
Response headers received:
cache-control: no-store
content-type: application/grpc
date: Fri, 17 Oct 2025 14:02:53 GMT
expires: Fri, 17 Oct 2025 14:02:53 GMT
pragma: no-cache
referrer-policy: strict-origin-when-cross-origin
server: CloudFront
strict-transport-security: max-age=31536000
vary: Origin
via: 1.1 redacted.cloudfront.net (CloudFront)
x-amz-cf-id: redacted
x-amz-cf-pop: redacted
x-cache: Miss from cloudfront
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-robots-tag: none
x-xss-protection: 1; mode=block
Response contents:
{
"setDate": "2025-10-17T14:02:53.166071Z"
}
Response trailers received:
(empty)
Sent 1 request and received 1 response
Screenshots
No response
Expected behavior
Listing user metadata should work
Operating System
No response
Relevant Configuration
No response
Additional Context
No response
Metadata
Metadata
Assignees
Labels
Type
Projects
Status