Default ACL (rep:policy)
The default access control lists are bound to individual nodes. They may be used to grant/deny access for all operations that are in some way related to JCR items: regular read/write, access control management, versioning, locking and as of Oak 1.0 user management and writing index definitions.
Repo-Level ACL (/rep:repoPolicy)
The access control lists bound to the null path can be used to grant/deny privileges associated with operations on repository-level such as namespace, node type, privilege and workspace management.
The effect of these entries is limited to the repository operations and is no inherited to any items inside the repository.
Access control policies created and modified using the default authorization model are stored as child of the node they are bound to with name rep:policy or as node with path /rep:repoPolicy (for repo-level policies).
Examples
Regular ACL at /content
"": {
"jcr:primaryType": "rep:root",
"content": {
"jcr:primaryType": "oak:Unstructured",
"jcr:mixinTypes": "rep:AccessControllable",
"rep:policy": {
"jcr:primaryType": "rep:ACL",
"allow": {
"jcr:primaryType": "rep:GrantACE",
"rep:principalName": "jackrabbit",
"rep:privileges": ["jcr:read", "rep:write"]
},
"deny": {
"jcr:primaryType": "rep:DenyACE",
"rep:principalName": "jackrabbit",
"rep:privileges": ["jcr:addNodes", "rep:addProperties"],
"rep:restrictions" {
"jcr:primaryType": "rep:Restrictions",
"rep:ntNames": ["nt:hierarchyNode", "nt:resource"]
}
}
}
}
}
Repo-Level Policy
"": {
"jcr:primaryType": "rep:root",
"jcr:mixinTypes": "rep:RepoAccessControllable",
"rep:repoPolicy": {
"jcr:primaryType": "rep:ACL",
"allow": {
"jcr:primaryType": "rep:GrantACE",
"rep:principalName": "elefant",
"rep:privileges": ["rep:privilegeManagement"]
}
}
}
Please refer for information
https://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html
Hope this is helpful
