Context

While testing the Create Authorization Orchestration Cluster REST API in Camunda 8.8, I noticed a mismatch between:

The concept documentation:
Using Camunda 8 → Identity and access management → Orchestration Cluster authorization

The API specification:
APIs & tools → Orchestration Cluster API → Specifications → Authorization → Create authorization

What the docs currently say

In the Orchestration Cluster authorization concept doc, under “No validation of owner and resource IDs”, it states:
“When you create an authorization, the Orchestration Cluster does not validate if the owner or the resource exists at that point in time.”
This implies that both owner and resource identifiers are not validated when creating an authorization.

What the API spec says

The Create authorization REST API page for 8.8 documents a 404 response with:
404 – “The owner was not found.”
So the API contract explicitly says the endpoint will return 404 if the owner does not exist, which already contradicts the concept doc.

Actual behavior observed (8.8)

Using the Create Authorization API (POST /authorizations) in an Orchestration Cluster with authorizations enabled:

Non-existing ownerId

Request body: valid structure, but ownerId intentionally set to a value that does not exist in Identity.
Response: HTTP 404 Not Found, with an error message equivalent to “The owner was not found.”

This matches the API spec.

Non-existing resourceId
Request body: valid, with a non-existing resourceId (e.g., a process definition key that is not yet deployed).
Response: HTTP 201 Created (or 200, depending on tooling), authorization is created successfully.

No validation error is returned for the resource.

So, in practice for 8.8:

• Owner is validated on create → non-existing owner leads to 404.
• ResourceId is not validated on create → non-existing resource is accepted and the authorization is created.