Multi-tenancy 403 Forbidden on Deployment — Camunda 8 Self-Managed

I’m running Camunda 8 Self-Managed (Docker) with multi-tenancy enabled and tried deploying a BPMN file to a specific tenant using the REST API (/v2/deployments). However, I kept getting a 403 FORBIDDEN error, even though the tenant has a user assigned in Identity. I also noticed that tenants created in Identity don’t show up in Operate.

UPD: I gave up on Camunda 8.8, switched to 8.7, and now everything works fine.

Hi @HighL0ad,

This is a classic multi-tenancy configuration mismatch issue in Camunda 8 Self-Managed. The 403 FORBIDDEN error on /v2/deployments combined with tenants not showing up in Operate indicates that multi-tenancy isn’t properly configured across all components.

Here are the key things to check and fix:

1. Enable Multi-tenancy Consistently

Make sure multi-tenancy is enabled on all components. If you’re using Helm:

global:
  multitenancy:
    enabled: true

Or set MULTITENANCY_ENABLED=true on each component individually (Zeebe, Operate, Tasklist, Optimize, Connectors, Identity).

2. Identity Configuration

Verify your Identity configuration includes:

identity:
  env:
    - name: MULTITENANCY_ENABLED
      value: "true"
    - name: RESOURCE_PERMISSIONS_ENABLED
      value: "false"  # Start with this disabled for testing

Important: When RESOURCE_PERMISSIONS_ENABLED is true without proper resource permissions configured, even admin users will get 403 errors when managing tenants.

3. External Database for Identity

Multi-tenancy requires Identity to use an external database - in-memory databases are not supported. If Identity can’t properly persist tenant data, you’ll see these exact symptoms.

4. Token and Permissions

For the REST API deployment to work, ensure:

• Your token is issued by the configured Identity/IdP
• The token has the correct audience for Zeebe/Orchestration Cluster API
• The user/client has tenant authorizations for the target tenant in Identity

5. Verify Tenant Checks are Enabled

Check that tenant checks are enabled in your orchestration cluster configuration:

orchestration.multitenancy.checks.enabled=true

Troubleshooting Steps:

1. Check your deployment command: What headers and tenant ID are you sending to /v2/deployments?
2. Verify Identity database: Can you see your tenants in the Identity database tables?
3. Check component logs: Look for multi-tenancy related errors in Zeebe, Identity, and Operate logs
4. Test with a simple tenant: Try creating a tenant through Identity UI first, then test deployment

Could you share:

• Your Docker Compose or Helm configuration (sanitized)
• The exact REST API call you’re making (headers + body)
• Camunda version you’re running

This will help pinpoint the exact configuration issue.

References:

• Configure multi-tenancy in Helm
• Multi-tenancy concepts
• Related forum discussion

When you say Identity do you mean Management identity or orchestration identity?