SystemPrincipalsValidation Warning: Refactor principal to have principal-based access control setup | Community
Skip to main content
A
alisa-dev
New Member
August 23, 2025
Solved

SystemPrincipalsValidation Warning: Refactor principal to have principal-based access control setup

  • August 23, 2025
  • 3 replies
  • 768 views

Hi All, 

 

I have warning in log file for all custom service users:

22.08.2025 19:42:19.681 [aem-author-786cd7b776-sddwr] *WARN* [JobHandler: /var/workflow/instances/server0/2025-08-22/custom-id-post-processing_1:/content/dam/assets/test.png] com.adobe.granite.repository.impl.SystemPrincipalsValidation Refactor principal 'custom-asset-service' to have principal-based access control setup.

 

I create users using yaml file:

- user_config: - custom-asset-service: - path: custom isSystemUser: true - ace_config: - custom-asset-service: - path: /content/dam/assets permission: allow privileges: jcr:read

 

And my users mapping in .cfg.json:

{ "user.mapping": [ "aem-custom.core:id-images-service=[custom-asset-service]" ] }

 

Could you please share how refactor principal to have principal-based access control setup?

 

@arunpatidar@konstantyn_diachenko@veenavikraman 

 

Best Regards,

Alisa

 

Best answer by arunpatidar

Hi @alisa-dev 

Try with below

- user_config: - custom-asset-service: - path: system/cq:services/custom isSystemUser: true name: custom-asset-service - ace_config: - custom-asset-service: - path: /content/dam/assets permission: allow privileges: jcr:read

 

3 replies

HrishikeshKagne
Community Advisor
HrishikeshKagneCommunity Advisor
Community Advisor
August 23, 2025

Hi @alisa-dev ,

That warning means your custom service users are still using the old ACL-based permissions, but Adobe now requires principal-based access control (PBAC) for all system users in AEMaaCS and modern AEM 6.5 setups. In simple terms:- instead of granting permissions with classic ACLs, you should define principal-based ACLs under /home/users/system/... using the PrincipalBasedAuthorizationConfiguration. So, refactoring means updating your YAML or repo-init so that the service user’s permissions are applied as principal-based rules (e.g., set principal ACL for custom-asset-service), not by attaching node ACLs directly. This way the system user gets its rights via PBAC, the warning goes away, and your service account follows Adobe’s recommended security model.

Hrishikesh Kagane
    A
    alisa-devAuthor
    New Member
    August 24, 2025

    Hi @hrishikeshkagne

     

    thank you for your reply!

    I change path for custom system user to system/cq:services/custom:

     

    - user_config: - custom-asset-service: - path: system/cq:services/custom isSystemUser: true - ace_config: - custom-asset-service: - path: /content/dam/assets permission: allow privileges: jcr:read

     but in repo for my user I can not see rep:principalPolicy node with user permissions:

    Could you please share how I need to create user config for applying right permissions?

    arunpatidar
    Community Advisor
    arunpatidarCommunity Advisor
    Community Advisor
    August 25, 2025

    Hi @alisa-dev 

    Please check https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/console-error-principle-based-access-control-setup/m-p/560045 

    Arun Patidar
      A
      alisa-devAuthor
      New Member
      August 31, 2025

      Hi @arunpatidar 

       

      thank you for your reply!

      I checked this post and I have same configuration but still see warning in log files.

      arunpatidar
      Community Advisor
      arunpatidarCommunity AdvisorAccepted solution
      Community Advisor
      September 3, 2025

      Hi @alisa-dev 

      Try with below

      - user_config: - custom-asset-service: - path: system/cq:services/custom isSystemUser: true name: custom-asset-service - ace_config: - custom-asset-service: - path: /content/dam/assets permission: allow privileges: jcr:read

       

      Arun Patidar
        kautuk_sahni
        Community Manager
        kautuk_sahniCommunity Manager
        Community Manager
        September 2, 2025

        @alisa-dev  just checking in! Were you able to get this resolved? If one of the replies above helped—whether it completely solved the issue or simply pointed you in the right direction—marking it as accepted can make it much easier for others with the same question to find a solution. And if you found a different way to fix it, sharing your approach would be a great contribution to the community. Your follow-up not only helps close the loop but also ensures others benefit from your experience. Thanks so much for being part of the conversation!

        Kautuk Sahni
        Terms & ConditionsAccessibility statement

        Loading footer...