Issue with System User Configuration in AEM as a Cloud Service | Community
Skip to main content
G
georhe6
Level 4
June 23, 2025
Solved

Issue with System User Configuration in AEM as a Cloud Service

  • June 23, 2025
  • 2 replies
  • 655 views

I’m attempting to create and configure a service user for access to certain resources within AEM as Cloud service. Below are the steps I’ve followed and the error I encountered.

public final class ResolverUtil { private ResolverUtil() { } public static final String project_SERVICE_USER = "resource"; public static ResourceResolver newResolver(ResourceResolverFactory resourceResolverFactory) throws LoginException { final Map<String, Object> paramMap = new HashMap<String, Object>(); paramMap.put(ResourceResolverFactory.SUBSERVICE, "resource"); return resourceResolverFactory.getServiceResourceResolver(paramMap); } }

RepositoryInitializer code below

org.apache.sling.jcr.repoinit.RepositoryInitializer~projectwebsite-readcf.config

// org.apache.sling.jcr.repoinit.RepositoryInitializer~projectwebsite-readcf.config scripts = [" # Create service user if it doesn't exist create service user project-website-service with forced path system/cq:services/project-website # Set ACL permissions set principal ACL for project-website-service allow jcr:read,jcr:write,jcr:modifyProperties,jcr:addChildNodes,jcr:removeNode,jcr:removeChildNodes on /content/dam/projectwebsite/customer allow jcr:read on /content/dam/projectwebsite end "]

ServiceUserMapperImpl code below

org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~projectwebsite.cfg.json { "user.mapping": [ "aem-project-website.core:resource=[project-website-service]" ] }

When trying to use the service user, I receive the following error in the AEM logs:

org.apache.sling.api.resource.LoginException: Cannot derive user name for bundle aem-caat-website.core [620] and sub service resource



  • I am using AEM as a Cloud Service for this project.

  • The issue is occurring on my local AEM instance, not in the Cloud environment.

  • I checked the user in localhost:4502/crx/expolorer did not see the user there under system/cq:services/project-website



 

Best answer by SantoshSai

Hi @georhe6,

There are 2 things coming in my mind at the moment:

  1. The service user project-website-service has not been created in your local instance, because the RepositoryInitializer config hasn't executed properly locally.

  2. The user.mapping in your OSGi config is pointing to the wrong bundle symbolic name, or it hasn't been deployed to your local SDK correctly.

1. Check and Fix the RepositoryInitializer Config

Your repoinit config seems fine:

create service user project-website-service with forced path system/cq:services/project-website

set principal ACL for project-website-service
    allow jcr:read,jcr:write,jcr:modifyProperties,jcr:addChildNodes,jcr:removeNode,jcr:removeChildNodes on /content/dam/projectwebsite/customer
    allow jcr:read on /content/dam/projectwebsite
end

But you must ensure it's part of your ui.config or ui.apps and deployed correctly.

Check:

  • File: ui.config/src/main/content/jcr_root/apps/project-website/osgiconfig/config/ or config.author/

  • Filename: org.apache.sling.jcr.repoinit.RepositoryInitializer~projectwebsite-readcf.config

But! Local SDK might not execute repo init if the config is not deployed properly or not picked up at startup.

Fix: Trigger a redeploy or restart with the repo init config correctly placed.

2. Confirm Service User Mapping is Correct

You have this:

{
  "user.mapping": [
    "aem-project-website.core:resource=[project-website-service]"
  ]
}

Make sure that:

  • The bundle symbolic name aem-project-website.core matches the actual bundle name

  • You can find the bundle symbolic name by:

If it's different (e.g., com.mycompany.project.core), update your config accordingly.

Example (corrected):

{
  "user.mapping": [
    "com.mycompany.project.core:resource=[project-website-service]"
  ]
}

Also ensure this OSGi config is deployed to ui.config/.../config.author/ as:

org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~projectwebsite.cfg.json
3. Verify Service User Exists Locally

Check if the user was created at:

/home/users/system/cq:services/project-website/project-website-service

  • Go to: http://localhost:4502/crx/explorer

  • Navigate to: /home/users/system/cq:services/project-website/

  • If not there: your repoinit hasn't run → recheck config and trigger a full redeploy.

At the end, you can try wiping your local repo state (if it’s just a dev environment):

Then restart the local AEM SDK with java -jar aem-author-p4502.jar so it picks up all OSGi/config/init again from scratch.

Alternatively, do a full Maven build and deploy again.

2 replies

SantoshSai
Community Advisor
SantoshSaiCommunity AdvisorAccepted solution
Community Advisor
June 24, 2025

Hi @georhe6,

There are 2 things coming in my mind at the moment:

  1. The service user project-website-service has not been created in your local instance, because the RepositoryInitializer config hasn't executed properly locally.

  2. The user.mapping in your OSGi config is pointing to the wrong bundle symbolic name, or it hasn't been deployed to your local SDK correctly.

1. Check and Fix the RepositoryInitializer Config

Your repoinit config seems fine:

create service user project-website-service with forced path system/cq:services/project-website

set principal ACL for project-website-service
    allow jcr:read,jcr:write,jcr:modifyProperties,jcr:addChildNodes,jcr:removeNode,jcr:removeChildNodes on /content/dam/projectwebsite/customer
    allow jcr:read on /content/dam/projectwebsite
end

But you must ensure it's part of your ui.config or ui.apps and deployed correctly.

Check:

  • File: ui.config/src/main/content/jcr_root/apps/project-website/osgiconfig/config/ or config.author/

  • Filename: org.apache.sling.jcr.repoinit.RepositoryInitializer~projectwebsite-readcf.config

But! Local SDK might not execute repo init if the config is not deployed properly or not picked up at startup.

Fix: Trigger a redeploy or restart with the repo init config correctly placed.

2. Confirm Service User Mapping is Correct

You have this:

{
  "user.mapping": [
    "aem-project-website.core:resource=[project-website-service]"
  ]
}

Make sure that:

  • The bundle symbolic name aem-project-website.core matches the actual bundle name

  • You can find the bundle symbolic name by:

If it's different (e.g., com.mycompany.project.core), update your config accordingly.

Example (corrected):

{
  "user.mapping": [
    "com.mycompany.project.core:resource=[project-website-service]"
  ]
}

Also ensure this OSGi config is deployed to ui.config/.../config.author/ as:

org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~projectwebsite.cfg.json
3. Verify Service User Exists Locally

Check if the user was created at:

/home/users/system/cq:services/project-website/project-website-service

  • Go to: http://localhost:4502/crx/explorer

  • Navigate to: /home/users/system/cq:services/project-website/

  • If not there: your repoinit hasn't run → recheck config and trigger a full redeploy.

At the end, you can try wiping your local repo state (if it’s just a dev environment):

Then restart the local AEM SDK with java -jar aem-author-p4502.jar so it picks up all OSGi/config/init again from scratch.

Alternatively, do a full Maven build and deploy again.

Santosh Sai
AmitVishwakarma
Community Advisor
AmitVishwakarmaCommunity Advisor
Community Advisor
June 24, 2025

Hi @georhe6 ,

Root Causes:

  - The service user was not created due to RepoInit not being executed.

  - The bundle symbolic name in user mapping is incorrect or not deployed properly.

OSGi configs not deployed correctly to config.author.


Try below solution:

1. Fix and Validate RepositoryInitializer Configuration

Make sure your RepositoryInitializer config is placed correctly under:

ui.config/src/main/content/jcr_root/apps/project-website/osgiconfig/config.author/

File name:

org.apache.sling.jcr.repoinit.RepositoryInitializer~projectwebsite-readcf.config

Content:

scripts = [ " create service user project-website-service with forced path system/cq:services/project-website set principal ACL for project-website-service allow jcr:read,jcr:write,jcr:modifyProperties,jcr:addChildNodes,jcr:removeNode,jcr:removeChildNodes on /content/dam/projectwebsite/customer allow jcr:read on /content/dam/projectwebsite end " ]

Redeploy Config

Run a clean build and deploy

 

2. Verify Service User Was Created

Check in CRX Explorer:

  - Go to: http://localhost:4502/crx/explorer

  - Navigate to:

/home/users/system/cq:services/project-website/project-website-service

If the user is not there, your repo init didn’t run. In that case:

  - Delete the crx-quickstart directory to reset the repo (local dev only!)

  - Restart the SDK with:

java -jar aem-author-p4502.jar

Content:

{ "user.mapping": [ "com.ranosys.projectwebsite.core:resource=[project-website-service]" ] }

 Deploy with Maven

 

Terms & ConditionsAccessibility statement

Loading footer...