diff --git a/pkg/services/tree/ape.go b/pkg/services/tree/ape.go
index c4b03cbe6..58757ff6d 100644
--- a/pkg/services/tree/ape.go
+++ b/pkg/services/tree/ape.go
@@ -22,7 +22,7 @@ import (
 )
 
 func (s *Service) newAPERequest(ctx context.Context, namespace string,
-	cid cid.ID, operation acl.Op, role acl.Role, publicKey *keys.PublicKey,
+	cid cid.ID, treeID string, operation acl.Op, role acl.Role, publicKey *keys.PublicKey,
 ) (aperequest.Request, error) {
 	schemaMethod, err := converter.SchemaMethodFromACLOperation(operation)
 	if err != nil {
@@ -53,15 +53,19 @@ func (s *Service) newAPERequest(ctx context.Context, namespace string,
 		resourceName = fmt.Sprintf(nativeschema.ResourceFormatNamespaceContainerObjects, namespace, cid.EncodeToString())
 	}
 
+	resProps := map[string]string{
+		nativeschema.ProperyKeyTreeID: treeID,
+	}
+
 	return aperequest.NewRequest(
 		schemaMethod,
-		aperequest.NewResource(resourceName, make(map[string]string)),
+		aperequest.NewResource(resourceName, resProps),
 		reqProps,
 	), nil
 }
 
 func (s *Service) checkAPE(ctx context.Context, bt *bearer.Token,
-	container *core.Container, cid cid.ID, operation acl.Op, role acl.Role, publicKey *keys.PublicKey,
+	container *core.Container, cid cid.ID, treeID string, operation acl.Op, role acl.Role, publicKey *keys.PublicKey,
 ) error {
 	namespace := ""
 	cntNamespace, hasNamespace := strings.CutSuffix(cnrSDK.ReadDomain(container.Value).Zone(), ".ns")
@@ -69,7 +73,7 @@ func (s *Service) checkAPE(ctx context.Context, bt *bearer.Token,
 		namespace = cntNamespace
 	}
 
-	request, err := s.newAPERequest(ctx, namespace, cid, operation, role, publicKey)
+	request, err := s.newAPERequest(ctx, namespace, cid, treeID, operation, role, publicKey)
 	if err != nil {
 		return fmt.Errorf("failed to create ape request: %w", err)
 	}
diff --git a/pkg/services/tree/ape_test.go b/pkg/services/tree/ape_test.go
index 0afc7660a..7b209fd47 100644
--- a/pkg/services/tree/ape_test.go
+++ b/pkg/services/tree/ape_test.go
@@ -107,6 +107,45 @@ func TestCheckAPE(t *testing.T) {
 	cid := cid.ID{}
 	_ = cid.DecodeString(containerID)
 
+	t.Run("treeID rule", func(t *testing.T) {
+		los := inmemory.NewInmemoryLocalStorage()
+		mcs := inmemory.NewInmemoryMorphRuleChainStorage()
+		fid := newFrostfsIDProviderMock(t)
+		s := Service{
+			cfg: cfg{
+				frostfsidSubjectProvider: fid,
+			},
+			apeChecker: checkercore.New(los, mcs, fid, &stMock{}),
+		}
+
+		mcs.AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(containerID), &chain.Chain{
+			Rules: []chain.Rule{
+				{
+					Status:  chain.QuotaLimitReached,
+					Actions: chain.Actions{Names: []string{nativeschema.MethodGetObject}},
+					Resources: chain.Resources{
+						Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, containerID)},
+					},
+					Condition: []chain.Condition{
+						{
+							Op:    chain.CondStringEquals,
+							Kind:  chain.KindResource,
+							Key:   nativeschema.ProperyKeyTreeID,
+							Value: versionTreeID,
+						},
+					},
+				},
+			},
+			MatchType: chain.MatchTypeFirstMatch,
+		})
+
+		err := s.checkAPE(context.Background(), nil, rootCnr, cid, versionTreeID, acl.OpObjectGet, acl.RoleOwner, senderPrivateKey.PublicKey())
+
+		var chErr *checkercore.ChainRouterError
+		require.ErrorAs(t, err, &chErr)
+		require.Equal(t, chain.QuotaLimitReached, chErr.Status())
+	})
+
 	t.Run("put non-tombstone rule won't affect tree remove", func(t *testing.T) {
 		los := inmemory.NewInmemoryLocalStorage()
 		mcs := inmemory.NewInmemoryMorphRuleChainStorage()
@@ -152,7 +191,7 @@ func TestCheckAPE(t *testing.T) {
 			MatchType: chain.MatchTypeFirstMatch,
 		})
 
-		err := s.checkAPE(context.Background(), nil, rootCnr, cid, acl.OpObjectDelete, acl.RoleOwner, senderPrivateKey.PublicKey())
+		err := s.checkAPE(context.Background(), nil, rootCnr, cid, versionTreeID, acl.OpObjectDelete, acl.RoleOwner, senderPrivateKey.PublicKey())
 		require.NoError(t, err)
 	})
 
@@ -201,7 +240,7 @@ func TestCheckAPE(t *testing.T) {
 			MatchType: chain.MatchTypeFirstMatch,
 		})
 
-		err := s.checkAPE(context.Background(), nil, rootCnr, cid, acl.OpObjectPut, acl.RoleOwner, senderPrivateKey.PublicKey())
+		err := s.checkAPE(context.Background(), nil, rootCnr, cid, versionTreeID, acl.OpObjectPut, acl.RoleOwner, senderPrivateKey.PublicKey())
 		require.NoError(t, err)
 	})
 }
diff --git a/pkg/services/tree/service.go b/pkg/services/tree/service.go
index b9bb96bab..85bb03a28 100644
--- a/pkg/services/tree/service.go
+++ b/pkg/services/tree/service.go
@@ -117,7 +117,7 @@ func (s *Service) Add(ctx context.Context, req *AddRequest) (*AddResponse, error
 		return nil, err
 	}
 
-	err := s.verifyClient(ctx, req, cid, b.GetBearerToken(), acl.OpObjectPut)
+	err := s.verifyClient(ctx, req, cid, req.GetBody().GetTreeId(), b.GetBearerToken(), acl.OpObjectPut)
 	if err != nil {
 		return nil, err
 	}
@@ -161,7 +161,7 @@ func (s *Service) AddByPath(ctx context.Context, req *AddByPathRequest) (*AddByP
 		return nil, err
 	}
 
-	err := s.verifyClient(ctx, req, cid, b.GetBearerToken(), acl.OpObjectPut)
+	err := s.verifyClient(ctx, req, cid, req.GetBody().GetTreeId(), b.GetBearerToken(), acl.OpObjectPut)
 	if err != nil {
 		return nil, err
 	}
@@ -217,7 +217,7 @@ func (s *Service) Remove(ctx context.Context, req *RemoveRequest) (*RemoveRespon
 		return nil, err
 	}
 
-	err := s.verifyClient(ctx, req, cid, b.GetBearerToken(), acl.OpObjectDelete)
+	err := s.verifyClient(ctx, req, cid, req.GetBody().GetTreeId(), b.GetBearerToken(), acl.OpObjectDelete)
 	if err != nil {
 		return nil, err
 	}
@@ -262,7 +262,7 @@ func (s *Service) Move(ctx context.Context, req *MoveRequest) (*MoveResponse, er
 		return nil, err
 	}
 
-	err := s.verifyClient(ctx, req, cid, b.GetBearerToken(), acl.OpObjectPut)
+	err := s.verifyClient(ctx, req, cid, req.GetBody().GetTreeId(), b.GetBearerToken(), acl.OpObjectPut)
 	if err != nil {
 		return nil, err
 	}
@@ -306,7 +306,7 @@ func (s *Service) GetNodeByPath(ctx context.Context, req *GetNodeByPathRequest)
 		return nil, err
 	}
 
-	err := s.verifyClient(ctx, req, cid, b.GetBearerToken(), acl.OpObjectGet)
+	err := s.verifyClient(ctx, req, cid, req.GetBody().GetTreeId(), b.GetBearerToken(), acl.OpObjectGet)
 	if err != nil {
 		return nil, err
 	}
@@ -377,7 +377,7 @@ func (s *Service) GetSubTree(req *GetSubTreeRequest, srv TreeService_GetSubTreeS
 		return err
 	}
 
-	err := s.verifyClient(srv.Context(), req, cid, b.GetBearerToken(), acl.OpObjectGet)
+	err := s.verifyClient(srv.Context(), req, cid, req.GetBody().GetTreeId(), b.GetBearerToken(), acl.OpObjectGet)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/services/tree/signature.go b/pkg/services/tree/signature.go
index d15438e81..89056056d 100644
--- a/pkg/services/tree/signature.go
+++ b/pkg/services/tree/signature.go
@@ -38,7 +38,7 @@ var (
 // Operation must be one of:
 //   - 1. ObjectPut;
 //   - 2. ObjectGet.
-func (s *Service) verifyClient(ctx context.Context, req message, cid cidSDK.ID, rawBearer []byte, op acl.Op) error {
+func (s *Service) verifyClient(ctx context.Context, req message, cid cidSDK.ID, treeID string, rawBearer []byte, op acl.Op) error {
 	err := verifyMessage(req)
 	if err != nil {
 		return err
@@ -64,7 +64,7 @@ func (s *Service) verifyClient(ctx context.Context, req message, cid cidSDK.ID,
 		return fmt.Errorf("can't get request role: %w", err)
 	}
 
-	if err = s.checkAPE(ctx, bt, cnr, cid, op, role, pubKey); err != nil {
+	if err = s.checkAPE(ctx, bt, cnr, cid, treeID, op, role, pubKey); err != nil {
 		return apeErr(err)
 	}
 	return nil
diff --git a/pkg/services/tree/signature_test.go b/pkg/services/tree/signature_test.go
index 97f8a727a..947de8e58 100644
--- a/pkg/services/tree/signature_test.go
+++ b/pkg/services/tree/signature_test.go
@@ -31,6 +31,8 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+const versionTreeID = "version"
+
 type dummyNetmapSource struct {
 	netmap.Source
 }
@@ -168,26 +170,26 @@ func TestMessageSign(t *testing.T) {
 	cnr.Value.SetBasicACL(acl.PublicRW)
 
 	t.Run("missing signature, no panic", func(t *testing.T) {
-		require.Error(t, s.verifyClient(context.Background(), req, cid2, nil, op))
+		require.Error(t, s.verifyClient(context.Background(), req, cid2, versionTreeID, nil, op))
 	})
 
 	require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
-	require.NoError(t, s.verifyClient(context.Background(), req, cid1, nil, op))
+	require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, nil, op))
 
 	t.Run("invalid CID", func(t *testing.T) {
-		require.Error(t, s.verifyClient(context.Background(), req, cid2, nil, op))
+		require.Error(t, s.verifyClient(context.Background(), req, cid2, versionTreeID, nil, op))
 	})
 
 	cnr.Value.SetBasicACL(acl.Private)
 
 	t.Run("extension disabled", func(t *testing.T) {
 		require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
-		require.Error(t, s.verifyClient(context.Background(), req, cid2, nil, op))
+		require.Error(t, s.verifyClient(context.Background(), req, cid2, versionTreeID, nil, op))
 	})
 
 	t.Run("invalid key", func(t *testing.T) {
 		require.NoError(t, SignMessage(req, &privs[1].PrivateKey))
-		require.Error(t, s.verifyClient(context.Background(), req, cid1, nil, op))
+		require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, nil, op))
 	})
 
 	t.Run("bearer", func(t *testing.T) {
@@ -200,7 +202,7 @@ func TestMessageSign(t *testing.T) {
 		t.Run("invalid bearer", func(t *testing.T) {
 			req.Body.BearerToken = []byte{0xFF}
 			require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
-			require.Error(t, s.verifyClient(context.Background(), req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
+			require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
 		})
 
 		t.Run("invalid bearer CID", func(t *testing.T) {
@@ -209,7 +211,7 @@ func TestMessageSign(t *testing.T) {
 			req.Body.BearerToken = bt.Marshal()
 
 			require.NoError(t, SignMessage(req, &privs[1].PrivateKey))
-			require.Error(t, s.verifyClient(context.Background(), req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
+			require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
 		})
 		t.Run("invalid bearer owner", func(t *testing.T) {
 			bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())
@@ -217,7 +219,7 @@ func TestMessageSign(t *testing.T) {
 			req.Body.BearerToken = bt.Marshal()
 
 			require.NoError(t, SignMessage(req, &privs[1].PrivateKey))
-			require.Error(t, s.verifyClient(context.Background(), req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
+			require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
 		})
 		t.Run("invalid bearer signature", func(t *testing.T) {
 			bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())
@@ -229,7 +231,7 @@ func TestMessageSign(t *testing.T) {
 			req.Body.BearerToken = bv2.StableMarshal(nil)
 
 			require.NoError(t, SignMessage(req, &privs[1].PrivateKey))
-			require.Error(t, s.verifyClient(context.Background(), req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
+			require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
 		})
 
 		t.Run("impersonate", func(t *testing.T) {
@@ -241,8 +243,8 @@ func TestMessageSign(t *testing.T) {
 			req.Body.BearerToken = bt.Marshal()
 
 			require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
-			require.Error(t, s.verifyClient(context.Background(), req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
-			require.NoError(t, s.verifyClient(context.Background(), req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectGet))
+			require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
+			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
 		})
 
 		bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())
@@ -252,18 +254,18 @@ func TestMessageSign(t *testing.T) {
 
 		t.Run("put and get", func(t *testing.T) {
 			require.NoError(t, SignMessage(req, &privs[1].PrivateKey))
-			require.NoError(t, s.verifyClient(context.Background(), req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
-			require.NoError(t, s.verifyClient(context.Background(), req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectGet))
+			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
+			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
 		})
 		t.Run("only get", func(t *testing.T) {
 			require.NoError(t, SignMessage(req, &privs[2].PrivateKey))
-			require.Error(t, s.verifyClient(context.Background(), req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
-			require.NoError(t, s.verifyClient(context.Background(), req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectGet))
+			require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
+			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
 		})
 		t.Run("none", func(t *testing.T) {
 			require.NoError(t, SignMessage(req, &privs[3].PrivateKey))
-			require.Error(t, s.verifyClient(context.Background(), req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
-			require.Error(t, s.verifyClient(context.Background(), req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectGet))
+			require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
+			require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
 		})
 	})
 }