diff --git a/pkg/ape/request/frostfsid.go b/pkg/ape/request/frostfsid.go
new file mode 100644
index 00000000..fa620e58
--- /dev/null
+++ b/pkg/ape/request/frostfsid.go
@@ -0,0 +1,36 @@
+package request
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	frostfsidcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/frostfsid"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	commonschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+)
+
+// FormFrostfsIDRequestProperties forms frostfsid specific request properties like user-claim tags and group ID.
+func FormFrostfsIDRequestProperties(frostFSIDClient frostfsidcore.SubjectProvider, pk *keys.PublicKey) (map[string]string, error) {
+	reqProps := make(map[string]string)
+	subj, err := frostFSIDClient.GetSubjectExtended(pk.GetScriptHash())
+	if err != nil {
+		if !strings.Contains(err.Error(), frostfsidcore.SubjectNotFoundErrorMessage) {
+			return nil, fmt.Errorf("get subject error: %w", err)
+		}
+		return reqProps, nil
+	}
+	for k, v := range subj.KV {
+		propertyKey := fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, k)
+		reqProps[propertyKey] = v
+	}
+
+	groups := make([]string, len(subj.Groups))
+	for i, group := range subj.Groups {
+		groups[i] = strconv.FormatInt(group.ID, 10)
+	}
+	reqProps[commonschema.PropertyKeyFrostFSIDGroupID] = apechain.FormCondSliceContainsValue(groups)
+
+	return reqProps, nil
+}
diff --git a/pkg/services/container/ape.go b/pkg/services/container/ape.go
index 9c38d1bb..22440ab8 100644
--- a/pkg/services/container/ape.go
+++ b/pkg/services/container/ape.go
@@ -27,7 +27,6 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
-	commonschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
 	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 )
@@ -619,16 +618,12 @@ func (ac *apeChecker) fillWithUserClaimTags(reqProps map[string]string, pk *keys
 	if reqProps == nil {
 		reqProps = make(map[string]string)
 	}
-	subj, err := ac.frostFSIDClient.GetSubject(pk.GetScriptHash())
+	props, err := aperequest.FormFrostfsIDRequestProperties(ac.frostFSIDClient, pk)
 	if err != nil {
-		if !strings.Contains(err.Error(), frostfsidcore.SubjectNotFoundErrorMessage) {
-			return nil, fmt.Errorf("get subject error: %w", err)
-		}
-		return reqProps, nil
+		return reqProps, err
 	}
-	for k, v := range subj.KV {
-		properyKey := fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, k)
-		reqProps[properyKey] = v
+	for propertyName, properyValue := range props {
+		reqProps[propertyName] = properyValue
 	}
 	return reqProps, nil
 }
diff --git a/pkg/services/container/ape_test.go b/pkg/services/container/ape_test.go
index a2fe7995..94c3027c 100644
--- a/pkg/services/container/ape_test.go
+++ b/pkg/services/container/ape_test.go
@@ -45,6 +45,7 @@ func TestAPE(t *testing.T) {
 	t.Run("deny get container no rule found", testDenyGetContainerNoRuleFound)
 	t.Run("deny get container for others", testDenyGetContainerForOthers)
 	t.Run("deny get container by user claim tag", testDenyGetContainerByUserClaimTag)
+	t.Run("deny get container by group id", testDenyGetContainerByGroupID)
 	t.Run("deny set container eACL for IR", testDenySetContainerEACLForIR)
 	t.Run("deny get container eACL for IR with session token", testDenyGetContainerEACLForIRSessionToken)
 	t.Run("deny put container for others with session token", testDenyPutContainerForOthersSessionToken)
@@ -279,6 +280,19 @@ func testDenyGetContainerByUserClaimTag(t *testing.T) {
 				},
 			},
 		},
+		subjectsExt: map[util.Uint160]*client.SubjectExtended{
+			pk.PublicKey().GetScriptHash(): {
+				KV: map[string]string{
+					"tag-attr1": "value1",
+					"tag-attr2": "value2",
+				},
+				Groups: []*client.Group{
+					{
+						ID: 19888,
+					},
+				},
+			},
+		},
 	}
 
 	apeSrv := NewAPEServer(router, contRdr, ir, nm, frostfsIDSubjectReader, srv)
@@ -339,6 +353,104 @@ func testDenyGetContainerByUserClaimTag(t *testing.T) {
 	require.ErrorAs(t, err, &errAccessDenied)
 }
 
+func testDenyGetContainerByGroupID(t *testing.T) {
+	t.Parallel()
+	srv := &srvStub{
+		calls: map[string]int{},
+	}
+	router := inmemory.NewInMemory()
+	contRdr := &containerStub{
+		c: map[cid.ID]*containercore.Container{},
+	}
+	ir := &irStub{
+		keys: [][]byte{},
+	}
+	nm := &netmapStub{}
+	pk, err := keys.NewPrivateKey()
+	require.NoError(t, err)
+
+	frostfsIDSubjectReader := &frostfsidStub{
+		subjects: map[util.Uint160]*client.Subject{
+			pk.PublicKey().GetScriptHash(): {
+				KV: map[string]string{
+					"tag-attr1": "value1",
+					"tag-attr2": "value2",
+				},
+			},
+		},
+		subjectsExt: map[util.Uint160]*client.SubjectExtended{
+			pk.PublicKey().GetScriptHash(): {
+				KV: map[string]string{
+					"tag-attr1": "value1",
+					"tag-attr2": "value2",
+				},
+				Groups: []*client.Group{
+					{
+						ID: 19888,
+					},
+				},
+			},
+		},
+	}
+
+	apeSrv := NewAPEServer(router, contRdr, ir, nm, frostfsIDSubjectReader, srv)
+
+	contID := cidtest.ID()
+	testContainer := containertest.Container()
+	pp := netmap.PlacementPolicy{}
+	require.NoError(t, pp.DecodeString("REP 1"))
+	testContainer.SetPlacementPolicy(pp)
+	contRdr.c[contID] = &containercore.Container{Value: testContainer}
+
+	nm.currentEpoch = 100
+	nm.netmaps = map[uint64]*netmap.NetMap{}
+	var testNetmap netmap.NetMap
+	testNetmap.SetEpoch(nm.currentEpoch)
+	testNetmap.SetNodes([]netmap.NodeInfo{{}})
+	nm.netmaps[nm.currentEpoch] = &testNetmap
+	nm.netmaps[nm.currentEpoch-1] = &testNetmap
+
+	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+		Rules: []chain.Rule{
+			{
+				Status: chain.AccessDenied,
+				Actions: chain.Actions{
+					Names: []string{
+						nativeschema.MethodGetContainer,
+					},
+				},
+				Resources: chain.Resources{
+					Names: []string{
+						fmt.Sprintf(nativeschema.ResourceFormatRootContainer, contID.EncodeToString()),
+					},
+				},
+				Condition: []chain.Condition{
+					{
+						Object: chain.ObjectRequest,
+						Key:    commonschema.PropertyKeyFrostFSIDGroupID,
+						Value:  "19888",
+						Op:     chain.CondStringEquals,
+					},
+				},
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	req := &container.GetRequest{}
+	req.SetBody(&container.GetRequestBody{})
+	var refContID refs.ContainerID
+	contID.WriteToV2(&refContID)
+	req.GetBody().SetContainerID(&refContID)
+
+	require.NoError(t, signature.SignServiceMessage(&pk.PrivateKey, req))
+
+	resp, err := apeSrv.Get(context.Background(), req)
+	require.Nil(t, resp)
+	var errAccessDenied *apistatus.ObjectAccessDenied
+	require.ErrorAs(t, err, &errAccessDenied)
+}
+
 func testDenySetContainerEACLForIR(t *testing.T) {
 	t.Parallel()
 	srv := &srvStub{
@@ -621,6 +733,21 @@ func testDenyPutContainerReadNamespaceFromFrostfsID(t *testing.T) {
 				Name:      testDomainName,
 			},
 		},
+		subjectsExt: map[util.Uint160]*client.SubjectExtended{
+			ownerScriptHash: {
+				Namespace: testDomainName,
+				Name:      testDomainName,
+				KV: map[string]string{
+					"tag-attr1": "value1",
+					"tag-attr2": "value2",
+				},
+				Groups: []*client.Group{
+					{
+						ID: 19888,
+					},
+				},
+			},
+		},
 	}
 	apeSrv := NewAPEServer(router, contRdr, ir, nm, frostfsIDSubjectReader, srv)
 	resp, err := apeSrv.Put(context.Background(), req)
@@ -690,6 +817,21 @@ func testDenyPutContainerInvalidNamespace(t *testing.T) {
 				Name:      testDomainName,
 			},
 		},
+		subjectsExt: map[util.Uint160]*client.SubjectExtended{
+			ownerScriptHash: {
+				Namespace: testDomainName,
+				Name:      testDomainName,
+				KV: map[string]string{
+					"tag-attr1": "value1",
+					"tag-attr2": "value2",
+				},
+				Groups: []*client.Group{
+					{
+						ID: 19888,
+					},
+				},
+			},
+		},
 	}
 	apeSrv := NewAPEServer(router, contRdr, ir, nm, frostfsIDSubjectReader, srv)
 	resp, err := apeSrv.Put(context.Background(), req)
@@ -800,6 +942,34 @@ func testDenyListContainersValidationNamespaceError(t *testing.T) {
 				Name:      testDomainName,
 			},
 		},
+		subjectsExt: map[util.Uint160]*client.SubjectExtended{
+			actorScriptHash: {
+				Namespace: actorDomain,
+				Name:      actorDomain,
+				KV: map[string]string{
+					"tag-attr1": "value1",
+					"tag-attr2": "value2",
+				},
+				Groups: []*client.Group{
+					{
+						ID: 19777,
+					},
+				},
+			},
+			ownerScriptHash: {
+				Namespace: testDomainName,
+				Name:      testDomainName,
+				KV: map[string]string{
+					"tag-attr1": "value1",
+					"tag-attr2": "value2",
+				},
+				Groups: []*client.Group{
+					{
+						ID: 19888,
+					},
+				},
+			},
+		},
 	}
 
 	apeSrv := NewAPEServer(router, contRdr, ir, nm, frostfsIDSubjectReader, srv)
diff --git a/pkg/services/object/ape/request.go b/pkg/services/object/ape/request.go
index 82b6adb1..cbecc73e 100644
--- a/pkg/services/object/ape/request.go
+++ b/pkg/services/object/ape/request.go
@@ -4,17 +4,14 @@ import (
 	"context"
 	"fmt"
 	"strconv"
-	"strings"
 
 	objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
 	aperequest "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/ape/request"
-	frostfsidcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/frostfsid"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	objectSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
-	commonschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
 	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 )
@@ -148,16 +145,12 @@ func (c *checkerImpl) fillWithUserClaimTags(reqProps map[string]string, prm Prm)
 	if err != nil {
 		return nil, err
 	}
-	subj, err := c.frostFSIDClient.GetSubject(pk.GetScriptHash())
+	props, err := aperequest.FormFrostfsIDRequestProperties(c.frostFSIDClient, pk)
 	if err != nil {
-		if !strings.Contains(err.Error(), frostfsidcore.SubjectNotFoundErrorMessage) {
-			return nil, fmt.Errorf("get subject error: %w", err)
-		}
-		return reqProps, nil
+		return reqProps, err
 	}
-	for k, v := range subj.KV {
-		properyKey := fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, k)
-		reqProps[properyKey] = v
+	for propertyName, properyValue := range props {
+		reqProps[propertyName] = properyValue
 	}
 	return reqProps, nil
 }
diff --git a/pkg/services/object/ape/request_test.go b/pkg/services/object/ape/request_test.go
index cda78e69..5c74e7d1 100644
--- a/pkg/services/object/ape/request_test.go
+++ b/pkg/services/object/ape/request_test.go
@@ -275,6 +275,7 @@ func TestNewAPERequest(t *testing.T) {
 							nativeschema.PropertyKeyActorRole:                                          prm.Role,
 							fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, "tag-attr1"): "value1",
 							fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, "tag-attr2"): "value2",
+							commonschema.PropertyKeyFrostFSIDGroupID:                                   "1",
 						},
 					)
 
diff --git a/pkg/services/tree/ape.go b/pkg/services/tree/ape.go
index 47e7cb41..622049d6 100644
--- a/pkg/services/tree/ape.go
+++ b/pkg/services/tree/ape.go
@@ -8,14 +8,12 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/ape/converter"
 	aperequest "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/ape/request"
 	core "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
-	frostfsidcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/frostfsid"
 	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
 	cnrSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
-	commonschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
 	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 )
@@ -80,16 +78,12 @@ func (s *Service) fillWithUserClaimTags(reqProps map[string]string, publicKey *k
 	if reqProps == nil {
 		reqProps = make(map[string]string)
 	}
-	subj, err := s.frostfsidSubjectProvider.GetSubject(publicKey.GetScriptHash())
+	props, err := aperequest.FormFrostfsIDRequestProperties(s.frostfsidSubjectProvider, publicKey)
 	if err != nil {
-		if !strings.Contains(err.Error(), frostfsidcore.SubjectNotFoundErrorMessage) {
-			return nil, fmt.Errorf("get subject error: %w", err)
-		}
-		return reqProps, nil
+		return reqProps, err
 	}
-	for k, v := range subj.KV {
-		properyKey := fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, k)
-		reqProps[properyKey] = v
+	for propertyName, properyValue := range props {
+		reqProps[propertyName] = properyValue
 	}
 	return reqProps, nil
 }