initial design

proto/zitadel/authorizations/v2/authorization.proto

@@ -0,0 +1,104 @@
+syntax = "proto3";
+
+package zitadel.authorizations.v2;
+
+import "validate/validate.proto";
+import "zitadel/object/v2/object.proto";
+
+message AuthorizationQuery {
+  oneof query {
+    option (validate.required) = true;
+
+    // Search for authorizations by their ID.
+    AuthorizationIDQuery authorization_id_query = 1;
+    // Search for authorizations by the ID of the user who was granted the authorization.
+    UserIDQuery user_id_query = 2;
+    // Search for authorizations by the ID of the organisation the user is part of.
+    UserOrganizationIDQuery user_organization_id_query = 3;
+    // Search for authorizations by the ID of the project the user was granted the authorization for.
+    ProjectIDQuery project_id_query = 4;
+    // Search for authorizations by the ID of the project grant the user was granted the authorization for.
+    ProjectGrantIDQuery project_grant_id_query = 5;
+    // Search for authorizations by the key of the role the user was granted.
+    RoleKeyQuery role_key_query = 6;
+
+    //    UserGrantProjectIDQuery project_id_query = 1;
+    //    UserGrantUserIDQuery user_id_query = 2;
+    //    UserGrantWithGrantedQuery with_granted_query = 3;
+    //    UserGrantRoleKeyQuery role_key_query = 4;
+    //    UserGrantProjectGrantIDQuery project_grant_id_query = 5;
+    //    UserGrantUserNameQuery user_name_query = 6;
+    //    UserGrantFirstNameQuery first_name_query = 7;
+    //    UserGrantLastNameQuery last_name_query = 8;
+    //    UserGrantEmailQuery email_query = 9;
+    //    UserGrantOrgNameQuery org_name_query = 10;
+    //    UserGrantOrgDomainQuery org_domain_query = 11;
+    //    UserGrantProjectNameQuery project_name_query = 12;
+    //    UserGrantDisplayNameQuery display_name_query = 13;
+    //    UserGrantUserTypeQuery user_type_query = 14;
+  }
+}
+
+message AuthorizationIDQuery {
+  string id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+}
+
+message UserIDQuery {
+  string user_id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+}
+
+message UserOrganizationIDQuery {
+  string user_organization_id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+}
+
+message ProjectIDQuery {
+  string project_id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+}
+
+message ProjectGrantIDQuery {
+  string project_grant_id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+}
+
+message RoleKeyQuery {
+  string role_key = 1 [(validate.rules).string = {max_len: 200}];
+  zitadel.object.v2.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message Authorization {
+  // ID is the unique identifier of the authorization.
+  string id = 1;
+  // UserID represents the ID of the user who was granted the authorization.
+  string user_id = 2;
+  // UserOrganisationID represents the ID of the organisation the user is part of.
+  string user_organization_id = 3;
+  // ProjectID represents the ID of the project the user was granted the authorization for.
+  string project_id = 4;
+  // ProjectGrantID represents the ID of the project grant the user was granted the authorization for.
+  // This field is only set if the authorization was granted for a project grant and not a project directly.
+  string project_grant_id = 5;
+
+  // Roles contains the roles the user was granted for the project or project grant.
+  repeated Role roles = 6;
+}
+
+message Role {
+  // Key is the unique identifier of the role.
+  string key = 1;
+  // DisplayName is the human readable name of the role.
+  string display_name = 2;
+}

proto/zitadel/authorizations/v2/authorization_service.proto

@@ -0,0 +1,156 @@
+syntax = "proto3";
+
+package zitadel.authorizations.v2;
+
+import "google/protobuf/timestamp.proto";
+import "validate/validate.proto";
+import "zitadel/object/v2/object.proto";
+import "zitadel/authorizations/v2/authorization.proto";
+
+// AuthorizationService provides methods to manage authorizations for users within your projects and applications.
+//
+// For managing permissions and roles for ZITADEL internal resources, like organizations, projects,
+// users, etc., please use the PermissionsService.
+service AuthorizationsService {
+  // ListAuthorizations returns all authorizations matching the request and necessary permissions.
+  //
+  // Required permissions:
+  //   - "user.grant.read"
+  //   - no permissions required for listing own authorizations
+  rpc ListAuthorizations(ListAuthorizationsRequest) returns (ListAuthorizationsResponse) {}
+
+  // GetAuthorization returns the authorization by its ID.
+  //
+  // Required permissions:
+  //   - "user.grant.read"
+  //   - no permissions required for getting own authorization
+  rpc GetAuthorization(GetAuthorizationRequest) returns (GetAuthorizationResponse) {}
+
+  // CreateAuthorization creates a new authorization for a user in a project or project grant.
+  //
+  // Required permissions:
+  //   - "user.grant.write"
+  rpc CreateAuthorization(CreateAuthorizationRequest) returns (CreateAuthorizationResponse) {}
+
+  // UpdateAuthorization updates the authorization.
+  //
+  // Note that any role keys previously granted to the user and not present in the request will be revoked.
+  //
+  // Required permissions:
+  //   - "user.grant.write"
+  rpc UpdateAuthorization(UpdateAuthorizationRequest) returns (UpdateAuthorizationResponse) {}
+
+  // DeleteAuthorization deletes the authorization.
+  //
+  // In case the authorization is not found, the request will return a successful response as
+  // the desired state is already achieved.
+  // You can check the deletion date in the response to verify if the authorization was deleted during the request.
+  //
+  // Required permissions:
+  //   - "user.grant.delete"
+  rpc DeleteAuthorization(DeleteAuthorizationRequest) returns (DeleteAuthorizationResponse) {}
+}
+
+message ListAuthorizationsRequest {
+  // Paginate through the results using a limit.
+  zitadel.object.v2.ListQuery query = 1;
+  // Filter the authorizations to be returned.
+  repeated AuthorizationQuery queries = 2;
+}
+
+message ListAuthorizationsResponse {
+  // Details contains the pagination information.
+  zitadel.object.v2.ListDetails details = 1;
+  repeated Authorization authorizations = 2;
+}
+
+message GetAuthorizationRequest {
+  // ID is the unique identifier of the authorization.
+  string id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+}
+
+message GetAuthorizationResponse {
+  Authorization authorization = 1;
+}
+
+message CreateAuthorizationRequest {
+  // UserID is the ID of the user who should be granted the authorization.
+  string user_id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+  // Grant on either the project directly or on a project grant.
+  oneof grant {
+    option (validate.required) = true;
+
+    // Project is the ID of the project the user should be granted the authorization for.
+    string project_id = 2 [(validate.rules).string = {
+      min_len: 1
+      max_len: 200
+    }];
+    // ProjectGrant is the ID of the project grant the user should be granted the authorization for.
+    string project_grant_id = 3 [(validate.rules).string = {
+      min_len: 1
+      max_len: 200
+    }];
+  }
+  // RoleKeys are the keys of the roles the user should be granted.
+  repeated string role_keys = 4 [(validate.rules).repeated = {
+    unique: true
+    items: {
+      string: {
+        min_len: 1
+        max_len: 200
+      }
+    }
+  }];
+}
+
+message CreateAuthorizationResponse {
+  // ID is the unique identifier of the newly created authorization.
+  string id = 1;
+  // CreationDate is the timestamp when the authorization was created.
+  google.protobuf.Timestamp creation_date = 2;
+}
+
+message UpdateAuthorizationRequest {
+  // ID is the unique identifier of the authorization.
+  string id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+  // RoleKeys are the keys of the roles the user should be granted.
+  // Note that any role keys previously granted to the user and not present in the list will be revoked.
+  repeated string role_keys = 2 [(validate.rules).repeated = {
+    unique: true
+    items: {
+      string: {
+        min_len: 1
+        max_len: 200
+      }
+    }
+  }];
+}
+
+message UpdateAuthorizationResponse {
+  // ChangeDate is the timestamp when the authorization was last updated.
+  google.protobuf.Timestamp change_date = 1;
+}
+
+message DeleteAuthorizationRequest {
+  // ID is the unique identifier of the authorization.
+  string id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+}
+
+message DeleteAuthorizationResponse {
+  // DeletionDate is the timestamp when the authorization was deleted.
+  // Note that the deletion date is only guaranteed to be set if the deletion was successful during the request.
+  // In case the deletion occurred in a previous request, the deletion date might not be set.
+  google.protobuf.Timestamp deletion_date = 1;
+}

proto/zitadel/metadata/v2/metadata.proto

@@ -0,0 +1,30 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "validate/validate.proto";
+
+package zitadel.metadata.v2;
+
+option go_package ="github.com/zitadel/zitadel/pkg/grpc/metadata/v2";
+
+message Metadata {
+    //zitadel.v1.ObjectDetails details = 1; TODO?
+    string key = 2;
+    bytes value = 3;
+}
+
+message MetadataQuery {
+    oneof query {
+        option (validate.required) = true;
+        MetadataKeyQuery key_query = 1;
+    }
+}
+
+message MetadataKeyQuery {
+    string key = 1 [
+        (validate.rules).string = {max_len: 200}
+    ];
+    zitadel.v1.TextQueryMethod method = 2 [
+        (validate.rules).enum.defined_only = true
+    ];
+}

proto/zitadel/permissions/v2/manager.proto

@@ -0,0 +1,214 @@
+syntax = "proto3";
+
+import "validate/validate.proto";
+import "zitadel/object/v2/object.proto";
+
+package zitadel.permissions.v2;
+
+/*
+message Manager2 {
+  // ID is the unique identifier of the manager role.
+  string id = 1;
+  // UserID is the ID of the user who was granted the manager role.
+  oneof user {
+    string user_id = 2;
+    User expanded = 3;
+  }
+  repeated string roles = 4;
+
+
+  oneof managerType {
+    // InstanceManager is the manager role for the instance.
+    InstanceManager instance_manager = 3;
+    // OrganizationManager is the manager role for the organization.
+    OrganizationManager organization_manager = 4;
+    // ProjectManager is the manager role for the project.
+    ProjectManager project_manager = 5;
+    // ProjectGrantManager is the manager role for the project grant.
+    ProjectGrantManager project_grant_manager = 6;
+  }
+}
+*/
+
+message Manager {
+
+  // ID is the unique identifier of the manager role.
+  string id = 1;
+  // User is the user who was granted the manager role.
+  User user = 2;
+//  string user_id = 3;
+//  string user_preferred_login_name = 4;
+//  string user_display_name = 5;
+//  string user_avatar_url = 6;
+//  string user_organization_id = 7;
+  // Resource is the type of the resource the manager roles were granted for.
+  oneof resource {
+    // Instance is returned if the manager roles were granted on the instance level.
+    bool instance = 3;
+    // Organization provides information about the organization the manager roles were granted for.
+    Organization organization = 4;
+    // Project provides information about the project the manager roles were granted for.
+    Project project = 5;
+    // ProjectGrant provides information about the project grant the manager roles were granted for.
+    ProjectGrant project_grant = 6;
+  }
+  // Roles are the roles that were granted to the user for the specified resource.
+  repeated string roles = 7;
+}
+
+message User {
+  // ID is the unique identifier of the user.
+  string id = 1;
+  // PreferredLoginName is the preferred login name of the user. This value is unique across the whole instance..
+  string preferred_login_name = 2;
+  // DisplayName is the public display name of the user.
+  // By default it's the user's given name and family name, their username or their email address.
+  string display_name = 3;
+  // AvatarURL is the URL to the user's public avatar image.
+  string avatar_url = 4;
+  // The organization the user belong to.
+  string organization_id = 5;
+
+  //  zitadel.user.v1.Type user_type = 10 TODO: peintner?
+}
+
+message Organization {
+  // ID is the unique identifier of the organization the user was granted the manager role for.
+  string id = 1;
+  // Name is the name of the organization the user was granted the manager role for.
+  string name = 2;
+}
+message Project {
+  // ID is the unique identifier of the project the user was granted the manager role for.
+  string id = 1;
+  // Name is the name of the project the user was granted the manager role for.
+  string name = 2;
+  // OrganizationID is the ID of the organization the project belongs to.
+  string organization_id = 3;
+}
+message ProjectGrant {
+  // ID is the unique identifier of the project grant the user was granted the manager role for.
+  string id = 1;
+  // ProjectID is the ID of the project the project grant belongs to.
+  string project_id = 2;
+  // ProjectName is the name of the project the project grant belongs to.
+  string project_name = 3;
+  // OrganizationID is the ID of the organization the project grant belongs to.
+  string organization_id = 4;
+}
+
+/*
+message SetInstanceManager {
+  // Roles are the roles that should be granted to the user.
+  repeated string roles = 1 [(validate.rules).repeated = {
+    unique: true
+    items: {
+      string: {
+        min_len: 1
+        max_len: 200
+        prefix: "IAM_" // TODO: do we want to limit here as well?
+      }
+    }
+  }];
+}
+
+message SetOrganizationManager {
+  // OrganizationID is the ID of the organization the user should be granted the manager role for.
+  string organization_id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+  // Roles are the roles that should be granted to the user within the specified organization.
+  repeated string roles = 2 [(validate.rules).repeated = {
+    unique: true
+    items: {
+      string: {
+        min_len: 1
+        max_len: 200
+        prefix: "ORG_" // TODO: do we want to limit here as well?
+      }
+    }
+  }];
+}
+
+message SetProjectManager {
+  // ProjectID is the ID of the project the user should be granted the manager role for.
+  string project_id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+  // Roles are the roles that should be granted to the user within the specified project.
+  repeated string roles = 2 [(validate.rules).repeated = {
+    unique: true
+    items: {
+      string: {
+        min_len: 1
+        max_len: 200
+        prefix: "PROJECT_" // TODO: do we want to limit here as well?
+      }
+    }
+  }];
+}
+
+message SetProjectGrantManager {
+  // ProjectGrantID is the ID of the project grant the user should be granted the manager role for.
+  string project_grant_id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+  // Roles are the roles that should be granted to the user within the specified project grant.
+  repeated string roles = 2 [(validate.rules).repeated = {
+    unique: true
+    items: {
+      string: {
+        min_len: 1
+        max_len: 200
+        prefix: "PROJECT_GRANT_" // TODO: do we want to limit here as well?
+      }
+    }
+  }];
+}
+*/
+
+message ManagerQuery {
+  oneof query {
+    option (validate.required) = true;
+
+    // Search for managers roles granted to a specific user.
+    UserIDQuery user_id_query = 1;
+    // Search for managers roles granted for a specific resource.
+    ResourceQuery resource_query = 2;
+    // Search for managers roles granted with a specific role.
+    RoleQuery role_query = 3;
+  }
+}
+
+message UserIDQuery {
+  // Search for managers by user ID.
+  string user_id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+}
+
+message ResourceQuery {
+  // Search for managers by the granted resource.
+  oneof resource {
+    // Search for managers granted on the instance level.
+    bool instance = 1;
+    // Search for managers granted on a specific organization.
+    string organization_id = 2;
+    // Search for managers granted on a specific project.
+    string project_id = 3;
+    // Search for managers granted on a specific project grant.
+    string project_grant_id = 4;
+  }
+}
+
+message RoleQuery {
+  // Search for managers by the granted role.
+  string role_key = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+}

proto/zitadel/permissions/v2/permission_service.proto

@@ -0,0 +1,189 @@
+syntax = "proto3";
+
+package zitadel.permissions.v2;
+
+import "google/protobuf/timestamp.proto";
+import "validate/validate.proto";
+import "zitadel/object/v2/object.proto";
+import "zitadel/permissions/v2/manager.proto";
+
+// PermissionsService provides methods to manage permissions for resource
+// and their management in ZITADEL itself.
+//
+// If you want to manage permissions and roles within your project or application,
+// please use the AuthorizationsService.
+service PermissionsService {
+  // ListManagers returns all managers and its roles matching the request and necessary permissions.
+  //
+  // Required permissions depend on the resource type:
+  //   - "iam.member.read" for instance managers
+  //   - "org.member.read" for organization managers
+  //   - "project.member.read" for project managers
+  //   - "project.grant.member.read" for project grant managers
+  //   - "user.membership.read" TODO: only this required?
+  //   - no permissions required for listing own manager roles
+  rpc ListManagers(ListManagersRequest) returns (ListManagersResponse) {}
+  // GetManager returns the manager role by its ID.
+  //
+  // Required permissions depend on the resource type:
+  //   - "iam.member.read" for instance managers
+  //   - "org.member.read" for organization managers
+  //   - "project.member.read" for project managers
+  //   - "project.grant.member.read" for project grant managers
+  //   - "user.membership.read" TODO: only this required?
+  //   - no permissions required for getting own manager roles
+  rpc GetManager(GetManagerRequest) returns (GetManagerResponse) {}
+  // CreateManager grants a manager role to a user.
+  //
+  // Required permissions depend on the resource type:
+  //   - "iam.member.write" for instance managers
+  //   - "org.member.write" for organization managers
+  //   - "project.member.write" for project managers
+  //   - "project.grant.member.write" for project grant managers
+  rpc CreateManager(CreateManagerRequest) returns (CreateManagerResponse) {}
+  // UpdateManager updates the manager role.
+  //
+  // Note that any role previously granted to the user and not present in the request will be revoked.
+  //
+  // Required permissions depend on the resource type:
+  //   - "iam.member.write" for instance managers
+  //   - "org.member.write" for organization managers
+  //   - "project.member.write" for project managers
+  //   - "project.grant.member.write" for project grant managers
+  rpc UpdateManager(UpdateManagerRequest) returns (UpdateManagerResponse) {}
+  // DeleteManager revokes a manager role from a user.
+  //
+  // Note that the deletion is only guaranteed to be successful if the user has the required permissions.
+  //
+  // Required permissions depend on the resource type:
+  //   - "iam.member.delete" for instance managers
+  //   - "org.member.delete" for organization managers
+  //   - "project.member.delete" for project managers
+  //   - "project.grant.member.delete" for project grant managers
+  rpc DeleteManager(DeleteManagerRequest) returns (DeleteManagerResponse) {}
+}
+
+message ListManagersRequest {
+  // Paginate through the results using a limit.
+  zitadel.object.v2.ListQuery query = 1;
+  // Filter the manager roles to be returned.
+  repeated ManagerQuery queries = 2;
+  repeated Expand expand = 3; // TODO: ?
+}
+
+enum Expand {
+  EXPAND_UNSPECIFIED = 0;
+  EXPAND_USER = 1;
+  EXPAND_RESOURCE = 2;
+}
+
+message ListManagersResponse {
+  // Details contains the pagination information.
+  zitadel.object.v2.ListDetails details = 1;
+  repeated Manager managers = 2;
+}
+
+message GetManagerRequest {
+  // ID is the unique identifier of the manager.
+  string id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+}
+
+message GetManagerResponse {
+  Manager manager = 1;
+}
+
+/*
+message CreateManagerRequest {
+  // UserID is the ID of the user who should be granted the manager role.
+  string user_id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+  oneof managerType {
+    SetInstanceManager instance_manager = 2;
+    SetOrganizationManager organization_manager = 3;
+    SetProjectManager project_manager = 4;
+    SetProjectGrantManager project_grant_manager = 5;
+  }
+}
+*/
+
+message CreateManagerRequest {
+  // UserID is the ID of the user who should be granted the manager role.
+  string user_id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+  // Resource is the type of the resource the manager roles should be granted for.
+  oneof resource {
+    option (validate.required) = true;
+
+    // Instance is the resource type for granting manager privileges on the instance level.
+    bool instance = 2 [(validate.rules).bool = {const: true}];
+    // OrganizationID is required to grant manager privileges for a specific organization.
+    string organization_id = 3;
+    // ProjectID is required to grant manager privileges for a specific project.
+    string project_id = 4;
+    // ProjectGrantID is required to grant manager privileges for a specific project grant.
+    string project_grant_id = 5;
+  }
+  // Roles are the roles that should be granted to the user for the specified resource.
+  repeated string roles = 6 [(validate.rules).repeated = {
+    unique: true
+    items: {
+      string: {
+        min_len: 1
+        max_len: 200
+      }
+    }
+  }];
+}
+
+message CreateManagerResponse {
+  // ID is the unique identifier of the newly created manager role.
+  string id = 1;
+  // CreationDate is the timestamp when the manager role was created.
+  google.protobuf.Timestamp creation_date = 2;
+}
+
+message UpdateManagerRequest {
+  // ManagerID is the ID of the manager role that should be updated.
+  string manager_role_id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+  // Roles are the roles that the user should be granted.
+  // Note that any role previously granted to the user and not present in the list will be revoked.
+  repeated string roles = 2 [(validate.rules).repeated = {
+    unique: true
+    items: {
+      string: {
+        min_len: 1
+        max_len: 200
+      }
+    }
+  }];
+}
+
+message UpdateManagerResponse {
+  // ChangeDate is the timestamp when the manager role was last updated.
+  google.protobuf.Timestamp change_date = 1;
+}
+
+message DeleteManagerRequest {
+  // ManagerID is the ID of the manager role the user should be removed from.
+  string manager_role_id = 1 [(validate.rules).string = {
+    min_len: 1
+    max_len: 200
+  }];
+}
+
+message DeleteManagerResponse {
+  // DeletionDate is the timestamp when the manager role was deleted.
+  // Note that the deletion date is only guaranteed to be set if the deletion was successful during the request.
+  // In case the deletion occurred in a previous request, the deletion date might not be set.
+  google.protobuf.Timestamp deletion_date = 1;
+}

proto/zitadel/user/v2/user_service.proto

@@ -11,10 +11,12 @@ import "zitadel/user/v2/idp.proto";
 import "zitadel/user/v2/password.proto";
 import "zitadel/user/v2/user.proto";
 import "zitadel/user/v2/query.proto";
+import "zitadel/metadata/v2/metadata.proto";
 import "google/api/annotations.proto";
 import "google/api/field_behavior.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
+import "google/protobuf/timestamp.proto";
 import "protoc-gen-openapiv2/options/annotations.proto";
 import "validate/validate.proto";
 
@@ -1232,6 +1234,140 @@ service UserService {
     };
   }
 
+  // ListMetadata returns all matching metadata entries for a user.
+  // You can filter by key only. Filtering by value is not supported yet.
+  // If no filter is specified, all metadata entries are returned.
+  //
+  // Required permissions:
+  //   - 'user.read'
+  //   - no permissions required for listing own metadata
+  rpc ListMetadata (ListMetadataRequest) returns (ListMetadataResponse) {}
+
+  // GetMetadata returns a single metadata entry of the user identified by the key.
+  //
+  // Required permissions:
+  //   - 'user.read'
+  //   - no permissions required for getting own metadata
+  rpc GetMetadata (GetMetadataRequest) returns (GetMetadataResponse) {}
+
+  // AddMetadata adds a new metadata entry to the user.
+  // If the key already exists, an error is returned.
+  //
+  // Required permissions:
+  //   - 'user.write'
+  rpc AddMetadata (AddMetadataRequest) returns (AddMetadataResponse) {}
+
+  // UpdateMetadata updates an existing metadata entry of the user.
+  // If the key does not exist, an error is returned.
+  //
+  // Required permissions:
+  //   - 'user.write'
+  rpc UpdateMetadata (UpdateMetadataRequest) returns (UpdateMetadataResponse) {}
+
+  // Set Metadata adds or updates a metadata entry of the user identified by the key.
+  // If the key does not exist, a new entry is created.
+  // If the key already exists, the value is updated.
+  // In case a key from an existing entry needs to be updated,
+  // the existing entry must be removed and a new one created.
+  //
+  // Required permissions:
+  //   - 'user.write'
+  rpc SetMetadata (SetMetadataRequest) returns (SetMetadataResponse) {}
+
+  // Remove Metadata removes an existing metadata entry from the user.
+  // If the key does not exist, the request wil return a success as the
+  // desired state is already achieved.
+  // You can check the deletion date in the response to verify if the
+  // metadata entry was removed during the request.
+  //
+  // Required permissions:
+  //   - 'user.write'
+  rpc RemoveMetadata (RemoveMetadataRequest) returns (RemoveMetadataResponse) {}
+}
+
+message ListMetadataRequest{
+  // The user ID of the user you like to get the metadata from.
+  string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  // Paginate through the results using a limit.
+  zitadel.object.v2.ListQuery query = 2;
+  // Filter the metadata to be returned.
+  repeated zitadel.metadata.v2.MetadataQuery queries = 3;
+}
+
+message ListMetadataResponse{
+  zitadel.object.v2.ListDetails details = 1;
+  repeated zitadel.metadata.v2.Metadata result = 2;
+}
+
+message GetMetadataRequest{
+  // The user ID of the user you like to get the metadata from.
+  string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  // Metadata key is the unique identifier of the metadata entry.
+  string metadata_key = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetMetadataResponse{
+  zitadel.metadata.v2.Metadata metadata = 1;
+}
+
+message AddMetadataRequest{
+  // The user ID of the user you like to add the metadata to.
+  string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  // Metadata key is the unique identifier of the metadata entry.
+  // If an entry with the same key already exists, an error is returned.
+  string metadata_key = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  // Metadata value is the value of the metadata entry.
+  bytes metadata_value = 3 [(validate.rules).bytes = {min_len: 1, max_len: 500000}];
+}
+
+message AddMetadataResponse{
+  // CreationDate is the timestamp the metadata entry was created.
+  google.protobuf.Timestamp creation_date = 1;
+}
+
+message UpdateMetadataRequest{
+  // The user ID of the user you like to update the metadata from.
+  string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  // Metadata key is the unique identifier of the metadata entry.
+  // If an entry with the same key does not exist, an error is returned.
+  string metadata_key = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  // Metadata value is the value of the metadata entry.
+  bytes metadata_value = 3 [(validate.rules).bytes = {min_len: 1, max_len: 500000}];
+}
+
+message UpdateMetadataResponse{
+  // ChangeDate is the the timestamp the metadata entry was last updated.
+  google.protobuf.Timestamp change_date = 1;
+}
+
+message SetMetadataRequest{
+  // The user ID of the user you like to set the metadata from.
+  string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  // Metadata key is the unique identifier of the metadata entry.
+  // An existing entry with the same key will be updated. The key cannot be changed.
+  // If you need to change the key, remove the existing entry and create a new one.
+  string metadata_key = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  // Metadata value is the value of the metadata entry.
+  bytes metadata_value = 3 [(validate.rules).bytes = {min_len: 1, max_len: 500000}];
+}
+
+message SetMetadataResponse{
+  // ChangeDate is the the timestamp the metadata entry was last set, either created or updated.
+  google.protobuf.Timestamp change_date = 2;
+}
+
+message RemoveMetadataRequest{
+  // The user ID of the user you like to remove the metadata from.
+  string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  // Metadata key is the unique identifier of the metadata entry.
+  string metadata_key = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveMetadataResponse{
+  // DeletionDate is the timestamp the metadata entry was deleted.
+  // Note that the deletion date is only guaranteed to be set if the deletion was successful during the request.
+  // In case the deletion occurred in a previous request, the deletion date might not be set.
+  google.protobuf.Timestamp deletion_date = 1;
 }
 
 message AddHumanUserRequest{