diff --git a/pkg/services/container/ape.go b/pkg/services/container/ape.go
index 2cdb30b45..09b4058dd 100644
--- a/pkg/services/container/ape.go
+++ b/pkg/services/container/ape.go
@@ -327,9 +327,15 @@ func (ac *apeChecker) validateContainerBoundedOperation(ctx context.Context, con
 		reqProps,
 	)
 
-	s, found, err := ac.router.IsAllowed(apechain.Ingress,
-		policyengine.NewRequestTargetExtended(namespace, id.EncodeToString(), fmt.Sprintf("%s:%s", namespace, pk.Address()), groups),
-		request)
+	rt := policyengine.NewRequestTargetWithNamespace(namespace)
+	userTarget := policyengine.UserTarget(fmt.Sprintf("%s:%s", namespace, pk.Address()))
+	rt.User = &userTarget
+	rt.Groups = make([]policyengine.Target, len(groups))
+	for i := range groups {
+		rt.Groups[i] = policyengine.GroupTarget(groups[i])
+	}
+
+	s, found, err := ac.router.IsAllowed(apechain.Ingress, rt, request)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/services/container/ape_test.go b/pkg/services/container/ape_test.go
index b6b42a559..e9e8461e6 100644
--- a/pkg/services/container/ape_test.go
+++ b/pkg/services/container/ape_test.go
@@ -102,7 +102,7 @@ func testAllowThenDenyGetContainerRuleDefined(t *testing.T) {
 	nm.netmaps[nm.currentEpoch] = &testNetmap
 	nm.netmaps[nm.currentEpoch-1] = &testNetmap
 
-	addDefaultAllowGetPolicy(t, router, contID)
+	addDefaultAllowGetPolicy(t, router)
 
 	req := &container.GetRequest{}
 	req.SetBody(&container.GetRequestBody{})
@@ -117,7 +117,7 @@ func testAllowThenDenyGetContainerRuleDefined(t *testing.T) {
 	_, err = apeSrv.Get(context.Background(), req)
 	require.NoError(t, err)
 
-	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 		Rules: []chain.Rule{
 			{
 				Status: chain.AccessDenied,
@@ -324,7 +324,7 @@ func testDenyGetContainerForOthers(t *testing.T) {
 	nm.netmaps[nm.currentEpoch] = &testNetmap
 	nm.netmaps[nm.currentEpoch-1] = &testNetmap
 
-	_, _, err := router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+	_, _, err := router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 		Rules: []chain.Rule{
 			{
 				Status: chain.AccessDenied,
@@ -424,7 +424,7 @@ func testDenyGetContainerByUserClaimTag(t *testing.T) {
 	nm.netmaps[nm.currentEpoch] = &testNetmap
 	nm.netmaps[nm.currentEpoch-1] = &testNetmap
 
-	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 		Rules: []chain.Rule{
 			{
 				Status: chain.AccessDenied,
@@ -522,7 +522,7 @@ func testDenyGetContainerByIP(t *testing.T) {
 	nm.netmaps[nm.currentEpoch] = &testNetmap
 	nm.netmaps[nm.currentEpoch-1] = &testNetmap
 
-	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 		Rules: []chain.Rule{
 			{
 				Status: chain.AccessDenied,
@@ -621,7 +621,7 @@ func testDenyGetContainerByGroupID(t *testing.T) {
 	nm.netmaps[nm.currentEpoch] = &testNetmap
 	nm.netmaps[nm.currentEpoch-1] = &testNetmap
 
-	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 		Rules: []chain.Rule{
 			{
 				Status: chain.AccessDenied,
@@ -1213,7 +1213,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 		components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
 		initTestNetmap(components.netmap)
 
-		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 			Rules: []chain.Rule{
 				{
 					Status: chain.AccessDenied,
@@ -1255,7 +1255,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 		components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
 		initTestNetmap(components.netmap)
 
-		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 			Rules: []chain.Rule{
 				{
 					Status: chain.AccessDenied,
@@ -1282,7 +1282,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 		})
 		require.NoError(t, err)
 
-		addDefaultAllowGetPolicy(t, components.engine, contID)
+		addDefaultAllowGetPolicy(t, components.engine)
 
 		req := initTestGetContainerRequest(t, contID)
 
@@ -1325,7 +1325,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 		})
 		require.NoError(t, err)
 
-		addDefaultAllowGetPolicy(t, components.engine, contID)
+		addDefaultAllowGetPolicy(t, components.engine)
 
 		req := initTestGetContainerRequest(t, contID)
 
@@ -1341,50 +1341,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 		components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
 		initTestNetmap(components.netmap)
 
-		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
-			Rules: []chain.Rule{
-				{
-					Status: chain.AccessDenied,
-					Actions: chain.Actions{
-						Names: []string{
-							nativeschema.MethodGetContainer,
-						},
-					},
-					Resources: chain.Resources{
-						Names: []string{
-							fmt.Sprintf(nativeschema.ResourceFormatRootContainer, contID.EncodeToString()),
-						},
-					},
-					Condition: []chain.Condition{
-						{
-							Kind:  chain.KindRequest,
-							Key:   nativeschema.PropertyKeyActorRole,
-							Value: nativeschema.PropertyValueContainerRoleOthers,
-							Op:    chain.CondStringEquals,
-						},
-					},
-				},
-			},
-		})
-		require.NoError(t, err)
-
-		addDefaultAllowGetPolicy(t, components.engine, contID)
-
-		req := initTestGetContainerRequest(t, contID)
-
-		err = components.apeChecker.validateContainerBoundedOperation(ctxWithPeerInfo(), req.GetBody().GetContainerID(), req.GetMetaHeader(), req.GetVerificationHeader(), nativeschema.MethodGetContainer)
-		require.NoError(t, err)
-	})
-
-	t.Run("check testdomain-defined container in testdomain-defined container target rule", func(t *testing.T) {
-		t.Parallel()
-
-		components := newTestAPEServer()
-		contID, testContainer := initTestContainer(t, true)
-		components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
-		initTestNetmap(components.netmap)
-
-		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(testDomainName), &chain.Chain{
 			Rules: []chain.Rule{
 				{
 					Status: chain.AccessDenied,
@@ -1411,7 +1368,51 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 		})
 		require.NoError(t, err)
 
-		addDefaultAllowGetPolicy(t, components.engine, contID)
+		addDefaultAllowGetPolicy(t, components.engine)
+
+		req := initTestGetContainerRequest(t, contID)
+
+		err = components.apeChecker.validateContainerBoundedOperation(ctxWithPeerInfo(), req.GetBody().GetContainerID(), req.GetMetaHeader(), req.GetVerificationHeader(), nativeschema.MethodGetContainer)
+		aErr := apeErr(nativeschema.MethodGetContainer, chain.AccessDenied)
+		require.ErrorContains(t, err, aErr.Error())
+	})
+
+	t.Run("check testdomain-defined container in testdomain-defined container target rule", func(t *testing.T) {
+		t.Parallel()
+
+		components := newTestAPEServer()
+		contID, testContainer := initTestContainer(t, true)
+		components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
+		initTestNetmap(components.netmap)
+
+		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
+			Rules: []chain.Rule{
+				{
+					Status: chain.AccessDenied,
+					Actions: chain.Actions{
+						Names: []string{
+							nativeschema.MethodGetContainer,
+						},
+					},
+					Resources: chain.Resources{
+						Names: []string{
+							fmt.Sprintf(nativeschema.ResourceFormatNamespaceContainer, testDomainName, contID.EncodeToString()),
+						},
+					},
+					Condition: []chain.Condition{
+						{
+							Kind:  chain.KindRequest,
+							Key:   nativeschema.PropertyKeyActorRole,
+							Value: nativeschema.PropertyValueContainerRoleOthers,
+							Op:    chain.CondStringEquals,
+						},
+					},
+				},
+			},
+		})
+		require.NoError(t, err)
+
+		addDefaultAllowGetPolicy(t, components.engine)
 
 		req := initTestGetContainerRequest(t, contID)
 
@@ -1565,8 +1566,8 @@ func initListRequest(t *testing.T, actorPK *keys.PrivateKey, ownerPK *keys.Priva
 	return req
 }
 
-func addDefaultAllowGetPolicy(t *testing.T, e engine.Engine, contID cid.ID) {
-	_, _, err := e.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+func addDefaultAllowGetPolicy(t *testing.T, e engine.Engine) {
+	_, _, err := e.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 		Rules: []chain.Rule{
 			{
 				Status: chain.Allow,