I use Repository Initializer scripts to set up a basic content folder structure and configure some permissions. In principle RepoInit scripts work and I am able to do this successfully.
Now I am trying to set some DENY ACL permissions for a group, also using Repository Initializer scripts.
But I cannot solve the following issue:
Our groups and users are managed outside of AEM, not locally (e.g. IMS/SAML/LDAP identities). So far so good.
Meaning the groups are not created in a specific AEM instance until at least one member has logged in - so on lower development environments, some groups may simply not exist.
Approach A:
If the RepoInit script references such a missing group name / principal with a path-based ACL (set ACL on ...), it silently fails.
Failed to set ACL (java.lang.IllegalStateException: Authorizable not found: External AA group)
So I cannot use these reliably in my scripts for any given environment.
Approach B:
If I use a principal ACL (set principal ACL) in my script, this will work even before the group exists, so it's a recommended approach. But this does not support DENY rules, only ALLOW rules.
Failed to set principal-based ACL (PrincipalAccessControlList doesn't support 'deny' entries.)
So I also cannot use this approach either.
(I could in theory refactor our whole permissions approach so that I only need allow rules and not deny rules, but that would be a lot of effort and risky, and the resulting permission structure would be much more redundant and complex - so not an option).
I also tried creating an intermediate local group using the RepoInit script, to include the external groups and then set the permissions transitively.
Like
create group "Intermediate Local"
add "External AA group","External BB group"
but this fails for the same reasons as Approach A - if the external group principals do not exist yet.
How can this chicken-and-egg problem be solved?
