diff --git a/changes/TI-1456.bugfix b/changes/TI-1456.bugfix
new file mode 100644
index 00000000000..c5c9743b268
--- /dev/null
+++ b/changes/TI-1456.bugfix
@@ -0,0 +1 @@
+- Fix OGDS sync for multi-tenant setups. [lgraf]
diff --git a/opengever/ogds/base/__init__.py b/opengever/ogds/base/__init__.py
index fe22ea276ba..409c97c7c76 100644
--- a/opengever/ogds/base/__init__.py
+++ b/opengever/ogds/base/__init__.py
@@ -1,3 +1,4 @@
+from AccessControl.SecurityManagement import newSecurityManager
 from opengever.core.debughelpers import get_first_plone_site
 from opengever.core.debughelpers import setup_plone
 from opengever.ogds.base.sync.ogds_updater import sync_ogds
@@ -18,5 +19,15 @@ def sync_ogds_zopectl_handler(app, args):
     stream_handler.setLevel(logging.INFO)
 
     plone = setup_plone(get_first_plone_site(app))
+
+    # Switch security context to 'zopemaster' instead of SpecialUsers.system.
+    # This is required because in multi-tenant setups, the OGDS sync will
+    # dispatch a remote request to update the sync timestamp. This request
+    # will need to be authenticated and therefore needs a user which has an
+    # actual userid - which the SpecialUsers.system doesn't.
+    user = app.acl_users.getUser('zopemaster')
+    user = user.__of__(app.acl_users)
+    newSecurityManager(app, user)
+
     sync_ogds(plone, local_groups=is_workspace_feature_enabled())
     transaction.commit()