Level 6

Repoinit Script Not Applying Permissions

Forum|Forum|7 months ago
July 9, 2025
4 replies
1148 views

Hi All,

I see some issues with Repoinit. I'm using the script below to apply permissions to all the child nodes under /content/experience-fragments/global-branding. The permissions are being applied only to the folder and not to the XFs (cq:Page). Specifically, only the read permission is being applied, not the modify permission. I have even deleted the service user and reinstalled the packages, but no luck.

Has anyone encountered a similar issue? Please let me know.

org.apache.sling.jcr.repoinit.RepositoryInitializer~project.cfg.json

{
"scripts": [
"create path /conf/test (sling:Folder)",
"set ACL for everyone\nallow jcr:read on /conf/test\nend",
"create service user brandWriteUser",
"set ACL for brandWriteUser\nallow jcr:read, jcr:write, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode on /content/brand/en\nend",
"set ACL for brandWriteUser\nallow jcr:read, jcr:write, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode on /content/experience-fragments/global-branding\nend"
]
}

@aanchal-sikka

MukeshYadav_

Community Advisor

Hi @test1234567 ,

You may try by writing on first and for later, like below

"create service user projectname-system\n set ACL on /\n allow jcr:all for projectname-system\n end\n"
Example

{
    "scripts": [
        "create path (sling:OrderedFolder) /content/dam/projectname",
        "create path (nt:unstructured) /content/dam/projectname/jcr:content",
        "set properties on /content/dam/projectname/jcr:content\n  set cq:conf{String} to /conf/projectname\n  set jcr:title{String} to \"projectname\"\nend",
        "create service user projectname-system\n set ACL on /\n allow jcr:all for projectname-system\n end\n"
    ]
}

Reference https://sling.apache.org/documentation/bundles/repository-initialization.html#repoinit-parser-test-scenarios
Thanks

T

test1234567Author

Level 6

After I changed it to jcr:all, it applied complete permissions. I want to apply permissions only for Read, Modify, Create, and Delete and restrict access for Read ACL, Edit ACL, and Replicate.

{
"scripts": [
"create path (sling:Folder) /conf/test",
"set ACL for everyone\nallow jcr:read on /conf/test\nend",
"create service user brandWriteUser",
"set ACL on /content/experience-fragments/global-branding\n allow jcr:read, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode for brandWriteUser\n deny jcr:readAccessControl, jcr:modifyAccessControl, jcr:replicate for brandWriteUser\n end\n",
"set ACL on /content/brand/en\n allow jcr:read, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode for brandWriteUser\n deny jcr:readAccessControl, jcr:modifyAccessControl, jcr:replicate for brandWriteUser\n end\n"
]
}

MukeshYadav_

Community Advisor

Hi @test1234567 ,

Sorry for confusion, that jcr:all is just an example.

I have asked to just exchange the place of on /path and for user(s) position.

Thanks

aanchal-sikka

Community Advisor

@test1234567

Did you notice any error/warn/info messages in logs?

Aanchal Sikka

T

test1234567Author

Level 6

I don't see any specific errors in the logs. I want to restrict the permissions for Read ACL, Edit ACL, and Replicate, but the script below is not working.

"scripts": [
"create path (sling:Folder) /conf/test",
"set ACL for everyone\nallow jcr:read on /conf/test\nend",
"create service user brandWriteUser",
"set ACL on /content/experience-fragments/global-branding\n allow jcr:read, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode for brandWriteUser\n deny jcr:readAccessControl, jcr:modifyAccessControl, jcr:replicate for brandWriteUser\n end\n",
"set ACL on /content/brand/en\n allow jcr:read, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode for brandWriteUser\n deny jcr:readAccessControl, jcr:modifyAccessControl, jcr:replicate for brandWriteUser\n end\n"
]
}

M

martin_knyazyan

Level 2

@test1234567
Not sure if this will fix your issue, but you can try this way.

org.apache.sling.jcr.repoinit.RepositoryInitializer~project.config - OSGi config name (change extenstion from .cfg.json to .config)

scripts=["
    create path /conf/test (sling:Folder)
    
    set principal ACL for everyone 
        allow jcr:read on /conf/test
    
    create service user brandWriteUser
    set principal ACL for brandWriteUser 
    allow jcr:read, jcr:write, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode on /content/brand/en
    
    set principal ACL for brandWriteUser 
    allow jcr:read, jcr:write, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode on /content/experience-fragments/global-branding
"]

Hope this helps.

M

martin_knyazyan

Level 2

Ignroe the script above, use the following one instead:

scripts=["
    create path /conf/test (sling:Folder)
        set principal ACL for everyone
        allow jcr:read on /conf/test
    end

    create service user brandWriteUser with forced path system/cq:services/medi
        set principal ACL for brandWriteUser
        allow jcr:read, jcr:write, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode on /content/brand/en
        allow jcr:read, jcr:write, jcr:modifyProperties, jcr:addChildNodes, jcr:removeNode on /content/experience-fragments/global-branding
    end
"]

T

test1234567Author

Level 6

It's not working. Basically, I want to restrict access to 'Read ACL', 'Edit ACL', and 'Replicate'.

Access should only be granted for 'Read', 'Modify', 'Create', and 'Delete'.

kautuk_sahni

Community Manager

@test1234567 Just checking in — were you able to resolve your issue?
We’d love to hear how things worked out. If the suggestions above helped, marking a response as correct can guide others with similar questions. And if you found another solution, feel free to share it — your insights could really benefit the community. Thanks again for being part of the conversation!

Kautuk Sahni

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded