DBMS USER METADATA MANAGEMENT privileges
AuraDB Business CriticalAuraDB Virtual Dedicated CloudEnterprise EditionIntroduced in 2026.06

The DBMS privileges for user metadata management control who can administer and view user tags. They can be granted, denied, or revoked like other privileges.

USER METADATA MANAGEMENT has two sub-privileges: SET USER METADATA and SHOW USER METADATA. Granting USER METADATA MANAGEMENT automatically grants both sub-privileges.

The user metadata privileges are required in addition to the existing privileges needed for the containing commands:

  • SET USER METADATA is needed to SET, ADD, or REMOVE tags. The privileges required for the containing commands (CREATE USER and ALTER USER) are unchanged and are still needed in addition to SET USER METADATA.

  • SHOW USER METADATA is needed to see tags via the SHOW USERS and SHOW CURRENT USER commands. The privilege required to run SHOW USERS is unchanged and is still needed in addition to SHOW USER METADATA in order to show users with their metadata.

USER METADATA MANAGEMENT (and children) sit outside of the hierarchy of other user and management privileges because they infer the ability (via ABAC) to grant roles to users and, as such, are considered particularly potent privileges, on a par with ROLE MANAGEMENT.

The semantics of how these privileges interact with the attribute and tag administration commands are covered in the Creating users, Modifying users, and Showing users sections.

For more details about the syntax descriptions, see Reading the administration commands syntax.
Table 1. User metadata management privileges command syntax
Command Description 
GRANT [IMMUTABLE] SET USER METADATA
  ON DBMS
  TO role[, ...]

Enables the specified roles to set, add, and remove user tags.

 
GRANT [IMMUTABLE] SHOW USER METADATA
  ON DBMS
  TO role[, ...]

Enables the specified roles to view user tags.

 
GRANT [IMMUTABLE] USER METADATA MANAGEMENT
  ON DBMS
  TO role[, ...]

Enables the specified roles to set, remove, and view user tags.

Grant privilege to set user metadata

You can grant the privilege to set, add, and remove user tags using the SET USER METADATA privilege.
For example:

GRANT SET USER METADATA ON DBMS TO userMetadataSetter;

As a result, the userMetadataSetter role has privileges that allow setting user tags.

SET USER METADATA is required in addition to the existing privileges for the containing commands. For example, to attach tags when creating a user, a role needs both CREATE USER and SET USER METADATA; to change tags on an existing user, a role needs both ALTER USER and SET USER METADATA.

To show all privileges for the role userMetadataSetter as commands, use the following query:

SHOW ROLE userMetadataSetter PRIVILEGES AS COMMANDS;
Table 2. Result
command

"GRANT SET USER METADATA ON DBMS TO `userMetadataSetter`"

Rows: 1

Grant privilege to show user metadata

You can grant the privilege to view user tags using the SHOW USER METADATA privilege.
For example:

GRANT SHOW USER METADATA ON DBMS TO userMetadataViewer;

As a result, the userMetadataViewer role has privileges that allow viewing user tags.

SHOW USER METADATA is required in addition to the SHOW USER privilege. A role needs both SHOW USER and SHOW USER METADATA in order to show users together with their tags via the SHOW USERS and SHOW CURRENT USER commands.

To show all privileges for the role userMetadataViewer as commands, use the following query:

SHOW ROLE userMetadataViewer PRIVILEGES AS COMMANDS;
Table 3. Result
command

"GRANT SHOW USER METADATA ON DBMS TO `userMetadataViewer`"

Rows: 1

Grant privilege to manage user metadata

You can grant the privilege to set, remove, and view user tags using the USER METADATA MANAGEMENT privilege.
Granting USER METADATA MANAGEMENT automatically grants both the SET USER METADATA and SHOW USER METADATA sub-privileges.
For example:

GRANT USER METADATA MANAGEMENT ON DBMS TO userMetadataManager;

As a result, the userMetadataManager role has all privileges to manage user metadata.

To show all privileges for the role userMetadataManager as commands, use the following query:

SHOW ROLE userMetadataManager PRIVILEGES AS COMMANDS;
Table 4. Result
command

"GRANT USER METADATA MANAGEMENT ON DBMS TO `userMetadataManager`"

Rows: 1