diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 50c00e0..17e8343 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -42,8 +42,8 @@ quarkus.test.integration-test-profile=test
 %test.tkit.rs.context.tenant-id.mock.default-tenant=default
 %test.tkit.rs.context.tenant-id.mock.claim-org-id=orgId
 %test.tkit.rs.context.tenant-id.mock.token-header-param=apm-principal-token
-%test.tkit.rs.context.tenant-id.mock.data.org1=tenant-100
-%test.tkit.rs.context.tenant-id.mock.data.org2=tenant-200
+%test.tkit.rs.context.tenant-id.mock.data.org1=100
+%test.tkit.rs.context.tenant-id.mock.data.org2=200
 %test.tkit.rs.context.tenant-id.mock.data.i100=i100
 %test.quarkus.keycloak.devservices.roles.bob=n3
 %test.smallrye.jwt.verify.key.location=${keycloak.url}/realms/quarkus/protocol/openid-connect/certs
diff --git a/src/test/java/io/github/onecx/permission/rs/external/v1/PermissionRestControllerTenantTest.java b/src/test/java/io/github/onecx/permission/rs/external/v1/PermissionRestControllerTenantTest.java
new file mode 100644
index 0000000..544836d
--- /dev/null
+++ b/src/test/java/io/github/onecx/permission/rs/external/v1/PermissionRestControllerTenantTest.java
@@ -0,0 +1,117 @@
+package io.github.onecx.permission.rs.external.v1;
+
+import static io.restassured.RestAssured.given;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.jboss.resteasy.reactive.RestResponse.Status.*;
+
+import java.util.List;
+
+import org.junit.jupiter.api.Test;
+import org.tkit.quarkus.test.WithDBData;
+
+import gen.io.github.onecx.permission.rs.external.v1.model.*;
+import io.github.onecx.permission.rs.external.v1.controllers.PermissionRestController;
+import io.github.onecx.permission.test.AbstractTest;
+import io.quarkus.test.common.http.TestHTTPEndpoint;
+import io.quarkus.test.junit.QuarkusTest;
+
+@QuarkusTest
+@TestHTTPEndpoint(PermissionRestController.class)
+@WithDBData(value = "data/test-v1.xml", deleteBeforeInsert = true, deleteAfterTest = true, rinseAndRepeat = true)
+class PermissionRestControllerTenantTest extends AbstractTest {
+
+    @Test
+    void getApplicationPermissionsTest() {
+
+        var accessToken = createToken("org1", List.of("n3-100"));
+
+        var dto = given()
+                .contentType(APPLICATION_JSON)
+                .header(APM_HEADER_PARAM, accessToken)
+                .body(new PermissionRequestDTOV1().token(accessToken))
+                .post("/application/app1")
+                .then()
+                .statusCode(OK.getStatusCode())
+                .extract()
+                .body().as(ApplicationPermissionsDTOV1.class);
+
+        assertThat(dto).isNotNull();
+        assertThat(dto.getPermissions()).isNotNull().hasSize(1);
+        assertThat(dto.getPermissions().get("o1")).isNotNull().hasSize(1).containsExactly("a2");
+
+    }
+
+    @Test
+    void getWorkspacePermissionsTest() {
+
+        var accessToken = createToken("org1", List.of("n3-100"));
+
+        var dto = given()
+                .contentType(APPLICATION_JSON)
+                .header(APM_HEADER_PARAM, accessToken)
+                .body(new PermissionRequestDTOV1().token(accessToken))
+                .post("/workspace/wapp1")
+                .then()
+                .statusCode(OK.getStatusCode())
+                .extract()
+                .body().as(WorkspacePermissionsDTOV1.class);
+
+        assertThat(dto).isNotNull();
+        assertThat(dto.getPermissions()).isNotNull().isEmpty();
+
+        dto = given()
+                .contentType(APPLICATION_JSON)
+                .header(APM_HEADER_PARAM, accessToken)
+                .body(new PermissionRequestDTOV1().token(accessToken))
+                .post("/workspace/wapp1-100")
+                .then()
+                .statusCode(OK.getStatusCode())
+                .extract()
+                .body().as(WorkspacePermissionsDTOV1.class);
+
+        assertThat(dto).isNotNull();
+        assertThat(dto.getPermissions()).isNotNull().hasSize(1);
+        assertThat(dto.getPermissions().get("o1")).isNotNull().hasSize(1).containsExactly("a1");
+
+    }
+
+    @Test
+    void getWorkspacePermissionApplicationsTest() {
+
+        var accessToken = createToken("org1", List.of("n3-100"));
+
+        var dto = given()
+                .contentType(APPLICATION_JSON)
+                .header(APM_HEADER_PARAM, accessToken)
+                .body(new PermissionRequestDTOV1().token(accessToken))
+                .post("/workspace/wapp1/applications")
+                .then()
+                .statusCode(OK.getStatusCode())
+                .extract()
+                .body().as(WorkspacePermissionApplicationsDTOV1.class);
+
+        assertThat(dto).isNotNull();
+        assertThat(dto.getWorkspace()).isNotNull();
+        assertThat(dto.getWorkspace().getPermissions()).isNotNull().isEmpty();
+
+        dto = given()
+                .contentType(APPLICATION_JSON)
+                .header(APM_HEADER_PARAM, accessToken)
+                .body(new PermissionRequestDTOV1().token(accessToken))
+                .post("/workspace/wapp1-100/applications")
+                .then()
+                .statusCode(OK.getStatusCode())
+                .extract()
+                .body().as(WorkspacePermissionApplicationsDTOV1.class);
+
+        assertThat(dto).isNotNull();
+        assertThat(dto.getWorkspace()).isNotNull();
+        assertThat(dto.getWorkspace().getPermissions()).isNotNull().hasSize(1);
+        assertThat(dto.getWorkspace().getPermissions().get("o1")).isNotNull().hasSize(1).containsExactly("a1");
+        assertThat(dto.getApplications()).isNotNull().hasSize(1);
+        assertThat(dto.getApplications().get(0)).isNotNull();
+        assertThat(dto.getApplications().get(0).getPermissions()).isNotNull().hasSize(1);
+        assertThat(dto.getApplications().get(0).getPermissions().get("o1")).isNotNull().hasSize(1).containsExactly("a2");
+    }
+}
diff --git a/src/test/java/io/github/onecx/permission/rs/external/v1/PermissionRestControllerTenantTestIT.java b/src/test/java/io/github/onecx/permission/rs/external/v1/PermissionRestControllerTenantTestIT.java
new file mode 100644
index 0000000..9f39bb2
--- /dev/null
+++ b/src/test/java/io/github/onecx/permission/rs/external/v1/PermissionRestControllerTenantTestIT.java
@@ -0,0 +1,7 @@
+package io.github.onecx.permission.rs.external.v1;
+
+import io.quarkus.test.junit.QuarkusIntegrationTest;
+
+@QuarkusIntegrationTest
+class PermissionRestControllerTenantTestIT extends PermissionRestControllerTenantTest {
+}
diff --git a/src/test/java/io/github/onecx/permission/test/AbstractTest.java b/src/test/java/io/github/onecx/permission/test/AbstractTest.java
index da833e4..cbc2070 100644
--- a/src/test/java/io/github/onecx/permission/test/AbstractTest.java
+++ b/src/test/java/io/github/onecx/permission/test/AbstractTest.java
@@ -30,6 +30,8 @@
 @SuppressWarnings("java:S2187")
 public class AbstractTest {
 
+    protected static final String APM_HEADER_PARAM = ConfigProvider.getConfig()
+            .getValue("%test.tkit.rs.context.tenant-id.mock.token-header-param", String.class);
     protected static final String CLAIMS_ORG_ID = ConfigProvider.getConfig()
             .getValue("%test.tkit.rs.context.tenant-id.mock.claim-org-id", String.class);
 
diff --git a/src/test/resources/data/test-v1.xml b/src/test/resources/data/test-v1.xml
index 92cd883..fadfb01 100644
--- a/src/test/resources/data/test-v1.xml
+++ b/src/test/resources/data/test-v1.xml
@@ -17,14 +17,16 @@
     <ROLE guid="r13" optlock="0" name="n3" description="d1" tenant_id="default"/>
     <ROLE guid="r14" optlock="0" name="n4" description="d1" tenant_id="default"/>
 
-    <ROLE guid="r21" optlock="0" name="n1" description="d1" tenant_id="100"/>
-    <ROLE guid="r22" optlock="0" name="n2" description="d1" tenant_id="100"/>
-    <ROLE guid="r23" optlock="0" name="n3" description="d1" tenant_id="100"/>
-    <ROLE guid="r24" optlock="0" name="n4" description="d1" tenant_id="100"/>
+    <ROLE guid="r21" optlock="0" name="n1-100" description="d1" tenant_id="100"/>
+    <ROLE guid="r22" optlock="0" name="n2-100" description="d1" tenant_id="100"/>
+    <ROLE guid="r23" optlock="0" name="n3-100" description="d1" tenant_id="100"/>
+    <ROLE guid="r24" optlock="0" name="n4-100" description="d1" tenant_id="100"/>
 
     <ASSIGNMENT guid="a11" optlock="0" permission_id="p13" role_id="r13" tenant_id="default"/>
     <ASSIGNMENT guid="a12" optlock="0" permission_id="p13" role_id="r14" tenant_id="default"/>
 
+    <ASSIGNMENT guid="aw1" optlock="0" permission_id="p12" role_id="r23" tenant_id="100"/>
+
     <WORKSPACE_PERMISSION guid="wp11" optlock="0" workspace_id="wapp1" resource="o1" action="a1" tenant_id="default"/>
     <WORKSPACE_PERMISSION guid="wp12" optlock="0" workspace_id="wapp1" resource="o1" action="a2" tenant_id="default"/>
     <WORKSPACE_PERMISSION guid="wp13" optlock="0" workspace_id="wapp1" resource="o1" action="a3" tenant_id="default"/>
@@ -35,6 +37,12 @@
     <WORKSPACE_PERMISSION guid="wp21" optlock="0" workspace_id="wapp2" resource="o1" action="a1" tenant_id="default"/>
     <WORKSPACE_PERMISSION guid="wp22" optlock="0" workspace_id="wapp2" resource="o1" action="a2" tenant_id="default"/>
 
+    <WORKSPACE_PERMISSION guid="wp211" optlock="0" workspace_id="wapp1-100" resource="o1" action="a1" tenant_id="100"/>
+    <WORKSPACE_PERMISSION guid="wp212" optlock="0" workspace_id="wapp1-100" resource="o1" action="a2" tenant_id="100"/>
+
     <WORKSPACE_ASSIGNMENT guid="wa11" optlock="0" permission_id="wp13" role_id="r13" tenant_id="default"/>
     <WORKSPACE_ASSIGNMENT guid="wa12" optlock="0" permission_id="wp13" role_id="r14" tenant_id="default"/>
+
+    <WORKSPACE_ASSIGNMENT guid="wa212" optlock="0" permission_id="wp211" role_id="r23" tenant_id="100"/>
+    <WORKSPACE_ASSIGNMENT guid="wa213" optlock="0" permission_id="wp212" role_id="r24" tenant_id="100"/>
 </dataset>
\ No newline at end of file