Both AEM as a Cloud Service and Sling CMS 1.0.2+ use the Sling OSGi Feature Model for provisioning instances. The Sling OSGi Feature Model offers several improvements over the Sling Provisioning Model it replaces in that it is richer in capabilities and more descriptive of the applications being created.
There are some tricky situations you need to consider when converting legacy applications from a Provisioning Model paradigm to a Feature Model paradigm. Most revolve around the new initialization / configuration as code capabilities in the OSGi Feature Model.
RepoInit and Content Package ACLs
One of the abilities of the Sling OSGi Feature Model is to include RepoInit scripts as a part of the application definition. With RepoInit, we can express the desired state of the repository in a RepoInit script and the RepoInit Parser and Processor will initialize the repository in that state. This can include:
Creating users, groups and service users
Creating resources and setting properties
Before RepoInit was adopted, applications generally would use Jackrabbit FileVault Content Packages to initialize the content and permissions of the repository.
This was an awkward process however, as it was very difficult to define packages correctly to create users / groups, apply ACLs or create a base content structure without accidentally wiping out custom content. This is because, in the JCR, Access Control resources (rep:policy nodes) are stored underneath the node they apply to so you'd have to create complex rules to package the ACLs without overriding the other child resources.
RepoInit makes this easy by extracting the logic of the ACL setting to a simple DSL, what used to be a series of folders and .content.xml files with a complex regex filter, now becomes:
set ACL on /libs,/apps
allow jcr:read for user1
So much easier!
The problem starts when you have a mix of content package and RepoInit access controls. Traditionally, in AEM / Apache Sling we rely on the content packages and bundle content all being installed around the same time, so access controls get installed together. Now we have a two stage process, first the RepoInit statements get executed then the content packages / bundle content are installed.