How to view permissions for a MySQL or MariaDB user

Reviewing a MySQL or MariaDB account’s privileges helps diagnose authorization failures and keeps applications from running with excessive permissions. Grant auditing is especially useful when resolving access errors like ERROR 1044 (42000), ERROR 1142 (42000), or unexpected schema visibility in production.

Privileges are assigned to accounts identified by both username and host, written as 'user'@'host'. During login, the server matches the client’s source host to the most specific account entry, then applies global, database, object-level privileges, plus any permissions inherited through roles.

Inspecting grants for other accounts requires sufficient administrative permission, and managed database services may restrict system-schema access. SHOW GRANTS output can expose internal database names and security requirements (SSL rules, resource limits), so treat it as sensitive when pasting into tickets or chat logs.

Steps to view permissions for a MySQL or MariaDB user:

Connect to the server with the mysql client using an account permitted to inspect grants.
```
$ mysql -h db01.example.net -u admin -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Server version: 8.0.36 MySQL Community Server - GPL
##### snipped #####
mysql>
```
Some installations authenticate root via socket authentication, which uses sudo mysql instead of mysql -u root -p.

Look up the target account’s host match in mysql.user.

mysql> SELECT User, Host FROM mysql.user WHERE User = 'appuser' ORDER BY Host;
+--------+-----------+
| User   | Host      |
+--------+-----------+
| appuser| %         |
| appuser| localhost |
+--------+-----------+
2 rows in set (0.00 sec)

Privileges apply to the full 'user'@'host' pair, and a more specific Host entry takes precedence over a wildcard like '%'.

Run SHOW GRANTS for the exact 'user'@'host' account.

mysql> SHOW GRANTS FOR 'appuser'@'%';
+-----------------------------------------------------------------------+
| Grants for appuser@%                                                  |
+-----------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'appuser'@'%'                                   |
| GRANT SELECT, INSERT, UPDATE ON `inventory`.* TO 'appuser'@'%'        |
| GRANT EXECUTE ON PROCEDURE `inventory`.`recalc_stock` TO 'appuser'@'%'|
| GRANT 'inventory_read'@'%' TO 'appuser'@'%'                           |
| SET DEFAULT ROLE 'inventory_read'@'%' TO 'appuser'@'%'                |
+-----------------------------------------------------------------------+
5 rows in set (0.00 sec)

GRANT USAGE ON *.* indicates an existing account with no additional privileges, ON *.* is global scope, ON `db`.* is database scope, and WITH GRANT OPTION indicates delegation rights.

Run SHOW GRANTS for the current session.

mysql> SHOW GRANTS;
+-------------------------------------------------------------+
| Grants for admin@%                                          |
+-------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%' WITH GRANT OPTION |
+-------------------------------------------------------------+
1 row in set (0.00 sec)

SHOW GRANTS without a FOR clause reports the connected account, while SHOW GRANTS FOR CURRENT_USER(); makes the target explicit.

Exit the mysql prompt.
```
mysql> exit
Bye
```

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.