Issue with Service User Permissions in RepoInit Scripts

Question

Hello Community,I have created RepoInit scripts to create a service user and grant specific permissions. However, for some reason, I am unable to predict the behavior of the granted permissions. Initially, when the script was deployed to the instance, I observed the following permissions in the content repository:Read: YesModify: NoCreate: YesDelete: YesAfter several deployments (with no changes made to the script), I started noticing errors in the logs. Upon checking the permissions in the UserAdmin Console, I saw that the "Create" permission was no longer enabled. The updated permissions were:Read: YesModify: NoCreate: NoDelete: YesHere is the error log that I encountered: ERROR LOG: 2025-07-30 21:25:50.721 ERROR [com.xxx.yyy.aem.core.internal.impl.models.zzzz] RepositoryException while interacting with JCR: /content/project1/en/jcr:content/root/responsivegrid/layout_container_cop/content/layout_container_169/content/layout_container_108/content/navigation_1210280890 javax.jcr.AccessDeniedException: Access denied. at org.apache.jackrabbit.oak.jcr.security.AccessManager.checkPermissions(AccessManager.java:71) [org.apache.jackrabbit.oak-jcr:1.22.20] at org.apache.jackrabbit.oak.jcr.session.NodeImpl$5.perform(NodeImpl.java:320) [org.apache.jackrabbit.oak-jcr:1.22.20] at org.apache.jackrabbit.oak.jcr.session.NodeImpl$5.perform(NodeImpl.java:289) [org.apache.jackrabbit.oak-jcr:1.22.20] at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:207) [org.apache.jackrabbit.oak-jcr:1.22.20] at org.apache.jackrabbit.oak.jcr.session.ItemImpl.perform(ItemImpl.java:112) [org.apache.jackrabbit.oak-jcr:1.22.20] at org.apache.jackrabbit.oak.jcr.session.NodeImpl.addNode(NodeImpl.java:289) [org.apache.jackrabbit.oak-jcr:1.22.20] at com.xxx.yyy.aem.core.internal.impl.models.zzzz.createLinkNode(zzzz.java:336) RepoInit Script:Below is the RepoInit script I used: Config Name: org.apache.sling.jcr.repoinit.RepositoryInitializer~retail.cfg.jsonAEM Version: 6.5.21Environment: Adobe Managed Service (Not cloud).{ "scripts": [ "create path (sling:Folder) /conf/retail-targeting", "set ACL for anonymous
allow jcr:read on /conf/retail-targeting
end", "create service user testWriteUser with path /home/users/system/retail", "set ACL on /content/experience-fragments/retail-stores
allow jcr:read,jcr:write,jcr:addChildNodes,jcr:modifyProperties,jcr:removeNode,jcr:removeChildNodes for testWriteUser
end", "set ACL on /content/campaigns/web-portal/target-experience/UserExperience
allow jcr:read,jcr:write,jcr:addChildNodes,jcr:modifyProperties,jcr:removeNode,jcr:removeChildNodes for testWriteUser
end", "set ACL on /content/project1/en
allow jcr:read,jcr:write,jcr:addChildNodes,jcr:modifyProperties,jcr:removeNode,jcr:removeChildNodes for testWriteUser
end" ] } Could someone check and let me know if you have faced a similar issue? Additionally, could you confirm if there’s anything wrong with the script? My goal is to ensure that the service user has the necessary permissions to perform node creation and modification operations.Thanks in advance!

BrianKasingli · Accepted Answer

@test1234567 ,With RepoInit, every deployment re-applies the ACLs you’ve declared for a service user. That means the outcome can change between deployments if the script isn’t consistent or if multiple configurations affect the same user.The issue where the “Create” permission disappears after several deployments usually happens because RepoInit doesn’t merge permissions — it overwrites them. If you ever deploy a version of the script that doesn’t explicitly list jcr:addChildNodes, for example, that privilege will be removed. Likewise, if another RepoInit configuration or package modifies the same principal, your ACLs can get overridden.To prevent this, always declare the full set of privileges you want the service user to have on each deployment. Don’t rely on incremental changes. You can simplify by using the aggregate jcr:write privilege, which already includes create, modify, and delete operations.For example, a reliable RepoInit script could look like this:{  "scripts": [    "create service user testWriteUser with path /home/users/system/retail",    "set ACL on /content/project1/en
 allow jcr:read,jcr:write for testWriteUser
end"  ]} If you prefer to be more explicit instead of using the shorthand, you can write:{  "scripts": [    "create service user testWriteUser with path /home/users/system/retail",    "set ACL on /content/project1/en
 allow jcr:read,jcr:addChildNodes,jcr:modifyProperties,jcr:removeNode,jcr:removeChildNodes for testWriteUser
end"  ]} The key is consistency. Each ew configuration, deploy on local. Each local deployment should redeclare the complete ACL set, so permissions don’t drop unexpectedly. After deployment, confirm through User Admin (http://localhost:4502/useradmin) that the service user has the intended access, and monitor your error logs during startup — RepoInit logs will tell you exactly which rules were applied.This approach ensures your service user always retains the ability to create and update nodes, without privileges silently disappearing after multiple deployments.

RepoInit Script:

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded