mysql show user permissions is the SHOW GRANTS statement used to display privileges and roles assigned to a MySQL user account, outputting GRANT statements.
SHOW GRANTS [FOR user_or_role [USING role [, role] ...]];Tested on MySQL 8.0.32 on Ubuntu 22.04 with mysql client 8.0.
Where user_or_role follows the format 'user'@'host'. Omitting FOR shows grants for the current user. CURRENT_USER and CURRENT_USER() are synonyms.
Syntax
SHOW GRANTS [FOR user_or_role [USING role [, role] ...]];Options and Flags
| Option | Type | Default | Description |
|---|---|---|---|
FOR user_or_role |
String (user@host or role name) | None (current user if omitted) | Specify the account or role whose privileges to display. |
USING role [, role] ... |
String list | None | Include privileges from explicitly named activated roles (8.0+) |
CURRENT_USER |
Keyword | N/A | Show grants for the session’s user. Works in definer context (stored procedures). |
Usage Examples
1. Display grants for the current user
mysql -u admin -p -e "SHOW GRANTS FOR CURRENT_USER;"
# Output example:
# GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost' WITH GRANT OPTIONRun this in any session to confirm your own privileges, particularly after role activation or FLUSH PRIVILEGES.
2. Show grants for a specific user from a remote host
mysql -u root -p -e "SHOW GRANTS FOR 'app_user'@'192.168.1.%';"
# Error if user does not exist:
# ERROR 1141 (42000): There is no such grant defined for user 'app_user'@'192.168.1.%'Always specify both user and host – omitting host defaults to '%'. Use this to audit production accounts during access reviews.
3. Check grants with explicit role inclusion
mysql -u root -p -e "SHOW GRANTS FOR 'readonly'@'%' USING 'analytic_role';"
# Shows additional privileges that come from the activated roleIn MySQL 8.0+, roles are not automatically included unless USING is added. This command reveals effective privileges of a user after role activation.
Troubleshooting & Common Errors
| Error Message / Code | Root Cause | Resolution Command |
|---|---|---|
| ERROR 1141 (42000): There is no such grant defined for user ‘user’@’host’ | User does not exist or has no privileges | CREATE USER 'user'@'host' IDENTIFIED BY 'password'; GRANT ... ; SHOW GRANTS FOR 'user'@'host'; |
| ERROR 1045 (28000): Access denied for user ‘dba’@’%’ (using password: YES) | Insufficient privilege to run SHOW GRANTS (needs SELECT on mysql.user or global SHOW GRANTS) |
Connect as root or grant: GRANT SHOW GRANTS ON *.* TO 'dba'@'%'; |
| Empty result set (no rows) | User exists but has no privileges (common for new users) | Grant at least one privilege, e.g., GRANT USAGE ON *.* TO 'user'@'host'; |
mysql show user permissions — Performance Considerations and Tuning
When retrieving MySQL user permissions via SHOW GRANTS, query latency is typically under 1ms for a single user. Environments with hundreds of users or complex role hierarchies may benefit from explicit tuning. Key performance drivers include network buffer sizing, connection timeouts, and parallelism for bulk lookups.
- Buffer sizes: The client-side
mysqltool uses themax_allowed_packetsetting to control the maximum result set chunk. To view or adjust:SHOW VARIABLES LIKE 'max_allowed_packet';(default 64 MB). For large grant lists, increasing this reduces fragmentation. - Timeouts: Connection and read timeouts abort slow operations. The MySQL Reference Manual (§5.1.8) documents
connect_timeout(default 10 s) andnet_read_timeout(default 30 s). Tune if repeatedSHOW GRANTScalls fail on congested links. - Parallelism: When scripting permission audits across many users, spawn multiple
mysql -e "SHOW GRANTS FOR ..."processes. Monitor withSHOW STATUS LIKE 'Threads_connected';to avoid exhausting themax_connectionslimit. - Batch sizing with roles: Instead of issuing separate
SHOW GRANTSfor each user, use theUSINGclause to resolve multiple roles in one call (doc: MySQL 8.2.5). This reduces round trips:SHOW GRANTS FOR 'admin'@'%' USING 'developer', 'readonly';.
The MySQL Reference Manual (Section 15.7.7.22) explicitly warns that SHOW GRANTS accesses the mysql.user and mysql.tables_priv system tables. Regular OPTIMIZE TABLE on those tables can improve scan speed. For TCP-level tuning, the Linux kernel’s net.core.rmem_default and net.core.wmem_default (documented in the kernel networking guide) affect MTU-sized transfers; check with sysctl net.core.rmem_default.
# Example: Tune MySQL client buffer and timeout for permission bulk dump
mysql --defaults-file=/etc/my.cnf
--max_allowed_packet=256M
--connect-timeout=5
-e "SHOW GRANTS FOR CURRENT_USER();"Multi-Cloud Comparison
| Feature | MySQL SHOW GRANTS | PostgreSQL Equivalent | AWS RDS for MySQL | Azure Database for MySQL | GCP Cloud SQL for MySQL |
|---|---|---|---|---|---|
| List user privileges | SHOW GRANTS FOR 'user'@'host' |
du+ in psql, or query pg_roles |
Same command (MySQL engine) | Same command (MySQL engine) | Same command (MySQL engine) |
| Role membership | Included in output if USING specified |
du shows role members |
Same | Same | Same |
| Current user | SHOW GRANTS FOR CURRENT_USER |
SELECT * FROM information_schema.applicable_roles |
Same | Same | Same |
| Cloud-specific IAM | N/A | N/A | Use mysql.rds_set_external_master and RDS IAM roles (not visible via SHOW GRANTS) |
Microsoft Entra ID authentication requires AAD_Login etc. – not shown by SHOW GRANTS |
Cloud SQL IAM database authentication uses cloudsql user – privileges per account |
Frequently Asked Questions
What is the difference between SHOW GRANTS and querying the mysql.user table?
Answer: SHOW GRANTS displays exact MySQL privileges for a user.
SHOW GRANTS is the authoritative method for viewing all permissions assigned to a user. The mysql.user table only contains global-level privilege columns and metadata like authentication plugin and password hash. To see schema/object-level grants, you must also inspect mysql.db and mysql.tables_priv.
# View all grants for a specific user
SHOW GRANTS FOR 'app_user'@'192.168.1.%';
# Query basic user record (no DB/table grants)
SELECT User, Host, plugin, password_last_changed FROM mysql.user WHERE User='app_user';When should I use the ‘SELECT * FROM mysql.user’ query instead of SHOW GRANTS?
Answer: Use it when you need to verify authentication plugin, password hash, or account locking status, not just privileges.
mysql.user stores account-level attributes like `account_locked`, `password_expired`, and `plugin`. This is essential for auditing user state before enabling 2FA or rotating credentials.
SELECT User, Host, plugin, account_locked, password_last_changed
FROM mysql.user
WHERE User NOT IN ('mysql.sys', 'mysql.session');How do I fix ERROR 1142 (42000) when running SHOW GRANTS?
Answer: The user executing SHOW GRANTS lacks the SHOW GRANTS privilege or SELECT on mysql.* tables.
This error indicates your current user does not have permission to view grants. Run the following as a privileged user (e.g., root or a user with `GRANT OPTION`):
GRANT SHOW GRANTS ON *.* TO 'devops_user'@'localhost';
FLUSH PRIVILEGES;
# Alternatively grant full SELECT (more permissive)
GRANT SELECT ON mysql.* TO 'devops_user'@'localhost';
FLUSH PRIVILEGES;After granting, reconnect and retry the original SHOW GRANTS command.
Does SHOW GRANTS work on Amazon RDS for MySQL?
Answer: Yes, SHOW GRANTS works on Amazon RDS MySQL 5.6+.
RDS restricts direct `mysql.user` modifications, but `SELECT` is permitted for users with the `rds_superuser` role. `SHOW GRANTS` is fully supported for all users. For cross-account audits on RDS, use:
SHOW GRANTS FOR CURRENT_USER();
# To view all users (requires rds_superuser)
SELECT User, Host FROM mysql.user;The same applies to Google Cloud SQL MySQL and Azure Database for MySQL.
What is the fastest way to retrieve all user permissions in MySQL?
Answer: Use a one-liner to generate SHOW GRANTS for each user, then execute all statements.
For large fleets, the following approach compiles every user’s grants into a single output without manual iteration:
# Generate and execute SHOW GRANTS for all non-system users
mysql -e "SELECT CONCAT('SHOW GRANTS FOR ''', user, '''@''', host, ''';') FROM mysql.user WHERE user NOT IN ('mysql.sys','mysql.session','root')" | mysql
# For structured output, use a JOIN on privilege tables
SELECT u.User, u.Host,
GROUP_CONCAT(DISTINCT CONCAT(db, '.', 'ALL') ORDER BY db SEPARATOR ', ') AS db_grants
FROM mysql.user u
LEFT JOIN mysql.db ON u.User = db.User AND u.Host = db.Host
GROUP BY u.User, u.Host;The first method is fastest for a complete privilege snapshot; the second is best for programmatic parsing.
Command Line Expert & Software Engineer
Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.
Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.