Merge branch 'main' into felix-mueller-patch-1

docs/apis-tools/operate-api/overview.md

@@ -126,6 +126,19 @@ curl -b cookie.txt -X POST 'http://localhost:8080/v1/process-definitions/search'
 | `POST /v1/decision-instances/search`             |                                       Search for decision instances |                                                                                                                                                                                                                                                                                                                                                                                                                                               |
 | `GET /v1/decision-instances/{id}`                |                                         Get decision instance by id | The field `id` must be used here as path variable, because the `key` field is not unique for decision instances                                                                                                                                                                                                                                                                                                                               |
 
+## Multi-tenancy
+
+:::note
+The [multi-tenancy feature](../../self-managed/operate-deployment/operate-configuration.md#multi-tenancy) is available in Self-Managed setups only.
+:::
+
+All Operate endpoints for which tenant assignment is relevant will:
+
+- Return `tenantId` field in response
+- Provide `tenantId` search parameter
+
+Review the Swagger documentation for the exact request and response structure.
+
 ## Search
 
 Every object has a search `/v1/<object>/search` endpoint which can be requested by `POST` and a given query request.

docs/self-managed/concepts/multi-tenancy.md

@@ -12,7 +12,7 @@ enabled in all required components, see:
 
 - [Identity feature flags](../../../self-managed/identity/deployment/configuration-variables/#feature-flags)
 - [Zeebe multi-tenancy](../../../self-managed/zeebe-deployment/configuration/gateway-config/#zeebegatewaymultitenancy)
-- [Operate multi-tenancy](../../../self-managed/operate-deployment/operate-configuration/)
+- [Operate multi-tenancy](../../../self-managed/operate-deployment/operate-configuration/#multi-tenancy)
 - [Tasklist multi-tenancy](../../../self-managed/tasklist-deployment/tasklist-configuration/#multi-tenancy)
 - [Optimize multi-tenancy]($optimize$/self-managed/optimize-deployment/configuration/multi-tenancy/)
 - [Connectors multi-tenancy](../../../self-managed/connectors-deployment/connectors-configuration/#multi-tenancy)

docs/self-managed/operate-deployment/operate-configuration.md

@@ -10,6 +10,8 @@ By default, the configuration for Operate is stored in a YAML file (`application
 
 - [Webserver](#webserver)
   - [Security](#security)
+- [Multi-tenancy](#multi-tenancy)
+  - [Securing Operate - Zeebe interaction](#securing-operate---zeebe-interaction)
 - [Elasticsearch or OpenSearch](#elasticsearch-or-opensearch)
   - [Settings to connect](#settings-to-connect)
     - [Settings to connect to a secured Elasticsearch or OpenSearch instance](#settings-to-connect-to-a-secured-elasticsearch-or-opensearch-instance)
@@ -53,6 +55,35 @@ To change the values for http header for security reasons, you can use the confi
 | camunda.operate.websecurity.httpStrictTransportSecurityMaxAgeInSeconds   | See [Spring description](https://docs.spring.io/spring-security/site/docs/5.2.0.RELEASE/reference/html/default-security-headers-2.html#webflux-headers-hsts) | 63,072,000 (two years)                                                                                                                                                                                                                                                                                           |
 | camunda.operate.websecurity.httpStrictTransportSecurityIncludeSubDomains | See [Spring description](https://docs.spring.io/spring-security/site/docs/5.2.0.RELEASE/reference/html/default-security-headers-2.html#webflux-headers-hsts) | true                                                                                                                                                                                                                                                                                                             |
 
+## Multi-tenancy
+
+From version 8.3 onwards, Operate has been enhanced to support multi-tenancy for Self-Managed setups. More information about
+the feature can be found in [the multi-tenancy documentation](../concepts/multi-tenancy.md).
+
+The following configuration is required to enable multi-tenancy in Operate:
+
+| Name                                 | Description                                          | Default value |
+| ------------------------------------ | ---------------------------------------------------- | ------------- |
+| camunda.operate.multiTenancy.enabled | Activates the multi-tenancy feature within Tasklist. | false         |
+
+:::caution
+To ensure seamless integration and functionality, the multi-tenancy feature should also be enabled across all associated components. This is done using their specific multi-tenancy feature flags.
+:::
+
+If multi-tenancy is enabled across components, users are allowed to view any data from tenants for which they have authorizations configured in Identity.
+
+If multi-tenancy is disabled in Operate, all users are allowed to view data from the `<default>` tenant only and no data from other tenants.
+
+If multi-tenancy is enabled in Operate but disabled in Identity (or Identity is unreachable for other reasons), users will not have any tenant authorizations in Operate
+and will not be able to access the data of any tenants in Operate.
+
+The same rules apply to the [Operate API](../../apis-tools/operate-api/overview.md#multi-tenancy).
+
+### Securing Operate - Zeebe interaction
+
+While executing user operations, Operate communicates with Zeebe using the Zeebe Java client. For Zeebe to know whether operations are allowed to be executed
+in terms of tenant assignment, Operate - Zeebe connection must be secured. Check the list of environment variables to be provided in the [Zeebe documentation](../../zeebe-deployment/security/client-authorization/#environment-variables).
+
 ## Elasticsearch or OpenSearch
 
 Operate stores and reads data from Elasticsearch or OpenSearch.

docs/self-managed/operational-guides/update-guide/820-to-830.md

@@ -119,6 +119,11 @@ be shortened, set the following properties to `false` while migrating Zeebe to `
   - Broker: `ZEEBE_BROKER_EXPERIMENTAL_CONSISTENCYCHECKS_ENABLEPRECONDITIONS`
   - Broker: `ZEEBE_BROKER_EXPERIMENTAL_CONSISTENCYCHECKS_ENABLEFOREIGNKEYCHECKS`
 
+### Operate migration
+
+Updating may take longer as a majority of Operate data must be re-indexed in Elasticsearch to add the `tenantId` field. To speed up data migration during version updates,
+consider adding more resources to your Elasticsearch cluster.
+
 ### Accessing existing data
 
 Once multi-tenancy is enabled, all existing data is owned by the `<default>` tenant. To continue to guarantee access to

versioned_docs/version-8.3/apis-tools/operate-api/overview.md

@@ -126,6 +126,19 @@ curl -b cookie.txt -X POST 'http://localhost:8080/v1/process-definitions/search'
 | `POST /v1/decision-instances/search`             |                                       Search for decision instances |                                                                                                                                                                                                                                                                                                                                                                                                                                               |
 | `GET /v1/decision-instances/{id}`                |                                         Get decision instance by id | The field `id` must be used here as path variable, because the `key` field is not unique for decision instances                                                                                                                                                                                                                                                                                                                               |
 
+## Multi-tenancy
+
+:::note
+The [multi-tenancy feature](../../self-managed/operate-deployment/operate-configuration.md#multi-tenancy) is available in Self-Managed setups only.
+:::
+
+All Operate endpoints for which tenant assignment is relevant will:
+
+- Return `tenantId` field in response
+- Provide `tenantId` search parameter
+
+Review the Swagger documentation for the exact request and response structure.
+
 ## Search
 
 Every object has a search `/v1/<object>/search` endpoint which can be requested by `POST` and a given query request.

versioned_docs/version-8.3/self-managed/concepts/multi-tenancy.md

@@ -12,7 +12,7 @@ enabled in all required components, see:
 
 - [Identity feature flags](../../../self-managed/identity/deployment/configuration-variables/#feature-flags)
 - [Zeebe multi-tenancy](../../../self-managed/zeebe-deployment/configuration/gateway-config/#zeebegatewaymultitenancy)
-- [Operate multi-tenancy](../../../self-managed/operate-deployment/operate-configuration/)
+- [Operate multi-tenancy](../../../self-managed/operate-deployment/operate-configuration/#multi-tenancy)
 - [Tasklist multi-tenancy](../../../self-managed/tasklist-deployment/tasklist-configuration/#multi-tenancy)
 - [Optimize multi-tenancy]($optimize$/self-managed/optimize-deployment/configuration/multi-tenancy/)
 - [Connectors multi-tenancy](../../../self-managed/connectors-deployment/connectors-configuration/#multi-tenancy)

versioned_docs/version-8.3/self-managed/operate-deployment/operate-configuration.md

@@ -10,6 +10,8 @@ By default, the configuration for Operate is stored in a YAML file (`application
 
 - [Webserver](#webserver)
   - [Security](#security)
+- [Multi-tenancy](#multi-tenancy)
+  - [Securing Operate - Zeebe interaction](#securing-operate---zeebe-interaction)
 - [Elasticsearch or OpenSearch](#elasticsearch-or-opensearch)
   - [Settings to connect](#settings-to-connect)
     - [Settings to connect to a secured Elasticsearch or OpenSearch instance](#settings-to-connect-to-a-secured-elasticsearch-or-opensearch-instance)
@@ -53,6 +55,35 @@ To change the values for http header for security reasons, you can use the confi
 | camunda.operate.websecurity.httpStrictTransportSecurityMaxAgeInSeconds   | See [Spring description](https://docs.spring.io/spring-security/site/docs/5.2.0.RELEASE/reference/html/default-security-headers-2.html#webflux-headers-hsts) | 63,072,000 (two years)                                                                                                                                                                                                                                                                                           |
 | camunda.operate.websecurity.httpStrictTransportSecurityIncludeSubDomains | See [Spring description](https://docs.spring.io/spring-security/site/docs/5.2.0.RELEASE/reference/html/default-security-headers-2.html#webflux-headers-hsts) | true                                                                                                                                                                                                                                                                                                             |
 
+## Multi-tenancy
+
+From version 8.3 onwards, Operate has been enhanced to support multi-tenancy for Self-Managed setups. More information about
+the feature can be found in [the multi-tenancy documentation](../concepts/multi-tenancy.md).
+
+The following configuration is required to enable multi-tenancy in Operate:
+
+| Name                                 | Description                                          | Default value |
+| ------------------------------------ | ---------------------------------------------------- | ------------- |
+| camunda.operate.multiTenancy.enabled | Activates the multi-tenancy feature within Tasklist. | false         |
+
+:::caution
+To ensure seamless integration and functionality, the multi-tenancy feature should also be enabled across all associated components. This is done using their specific multi-tenancy feature flags.
+:::
+
+If multi-tenancy is enabled across components, users are allowed to view any data from tenants for which they have authorizations configured in Identity.
+
+If multi-tenancy is disabled in Operate, all users are allowed to view data from the `<default>` tenant only and no data from other tenants.
+
+If multi-tenancy is enabled in Operate but disabled in Identity (or Identity is unreachable for other reasons), users will not have any tenant authorizations in Operate
+and will not be able to access the data of any tenants in Operate.
+
+The same rules apply to the [Operate API](../../apis-tools/operate-api/overview.md#multi-tenancy).
+
+### Securing Operate - Zeebe interaction
+
+While executing user operations, Operate communicates with Zeebe using the Zeebe Java client. For Zeebe to know whether operations are allowed to be executed
+in terms of tenant assignment, Operate - Zeebe connection must be secured. Check the list of environment variables to be provided in the [Zeebe documentation](../../zeebe-deployment/security/client-authorization/#environment-variables).
+
 ## Elasticsearch or OpenSearch
 
 Operate stores and reads data from Elasticsearch or OpenSearch.

versioned_docs/version-8.3/self-managed/operational-guides/update-guide/820-to-830.md

@@ -119,6 +119,11 @@ be shortened, set the following properties to `false` while migrating Zeebe to `
   - Broker: `ZEEBE_BROKER_EXPERIMENTAL_CONSISTENCYCHECKS_ENABLEPRECONDITIONS`
   - Broker: `ZEEBE_BROKER_EXPERIMENTAL_CONSISTENCYCHECKS_ENABLEFOREIGNKEYCHECKS`
 
+### Operate migration
+
+Updating may take longer as a majority of Operate data must be re-indexed in Elasticsearch to add the `tenantId` field. To speed up data migration during version updates,
+consider adding more resources to your Elasticsearch cluster.
+
 ### Accessing existing data
 
 Once multi-tenancy is enabled, all existing data is owned by the `<default` tenant. To ensure continued access to this

versioned_sidebars/version-8.3-sidebars.json

@@ -1438,6 +1438,11 @@
                 "self-managed/identity/user-guide/authorizations/generating-m2m-tokens"
               ]
             },
+            {
+              "Tenants": [
+                "self-managed/identity/user-guide/tenants/managing-tenants"
+              ]
+            },
             {
               "Additional features": [
                 "self-managed/identity/user-guide/additional-features/adding-an-api",