diff --git a/alarms/api/requests.go b/alarms/api/requests.go
index 070992a23..01ae29917 100644
--- a/alarms/api/requests.go
+++ b/alarms/api/requests.go
@@ -31,8 +31,8 @@ func (req updateAlarmReq) validate() error {
 	if req.Alarm.ID == "" {
 		return errors.New("missing alarm id")
 	}
-	if req.Alarm.AssigneeID == "" && req.Alarm.AcknowledgedBy == "" && req.Alarm.ResolvedBy == "" {
-		return errors.New("at least one of assignee_id, acknowledged_by, or resolved_by must be set")
+	if req.Alarm.AssigneeID == "" && req.Alarm.AcknowledgedBy == "" && req.Alarm.ResolvedBy == "" && len(req.Alarm.Metadata) == 0 {
+		return errors.New("at least one of assignee_id, acknowledged_by, resolved_by, or metadata must be set")
 	}
 
 	return nil
diff --git a/alarms/middleware/authorization.go b/alarms/middleware/authorization.go
index ca0a8fb3e..1db88bd83 100644
--- a/alarms/middleware/authorization.go
+++ b/alarms/middleware/authorization.go
@@ -48,6 +48,12 @@ func (am *authorizationMiddleware) CreateAlarm(ctx context.Context, alarm alarms
 }
 
 func (am *authorizationMiddleware) UpdateAlarm(ctx context.Context, session authn.Session, alarm alarms.Alarm) (alarms.Alarm, error) {
+	if len(alarm.Metadata) > 0 {
+		if err := am.authorize(ctx, operations.OpUpdateAlarm, session, policies.DomainType, session.DomainID); err != nil {
+			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
+		}
+	}
+
 	if alarm.AssigneeID != "" {
 		if err := am.authorize(ctx, operations.OpAssignAlarm, session, policies.DomainType, session.DomainID); err != nil {
 			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
diff --git a/alarms/operations/operations.go b/alarms/operations/operations.go
index e7277ae48..2e536da4c 100644
--- a/alarms/operations/operations.go
+++ b/alarms/operations/operations.go
@@ -15,6 +15,7 @@ const (
 	OpAssignAlarm
 	OpAcknowledgeAlarm
 	OpResolveAlarm
+	OpUpdateAlarm
 )
 
 func OperationDetails() map[permissions.Operation]permissions.OperationDetails {
@@ -43,5 +44,9 @@ func OperationDetails() map[permissions.Operation]permissions.OperationDetails {
 			Name:               "resolve",
 			PermissionRequired: true,
 		},
+		OpUpdateAlarm: {
+			Name:               "update",
+			PermissionRequired: true,
+		},
 	}
 }