The distinction is whether the resource is owned by another tenant or not. Often a user can view a resource but aren't allowed to edit it, at which point 403 is correct. However if it's something owned by another tenant entirely, and is not public, then a 404 is correct.
No comments yet.