Adobe Experience Manager Sites & More

georhe6 · 6/23/25

I’m attempting to create and configure a service user for access to certain resources within AEM as Cloud service. Below are the steps I’ve followed and the error I encountered.

public final class ResolverUtil {

    private ResolverUtil() {
    }

    public static final String project_SERVICE_USER = "resource";

    public static ResourceResolver newResolver(ResourceResolverFactory resourceResolverFactory) throws LoginException {
        final Map<String, Object> paramMap = new HashMap<String, Object>();
        paramMap.put(ResourceResolverFactory.SUBSERVICE, "resource");

        return resourceResolverFactory.getServiceResourceResolver(paramMap);
    }
}

RepositoryInitializer code below

org.apache.sling.jcr.repoinit.RepositoryInitializer~projectwebsite-readcf.config

// org.apache.sling.jcr.repoinit.RepositoryInitializer~projectwebsite-readcf.config
scripts = ["
   # Create service user if it doesn't exist
   create service user project-website-service with forced path system/cq:services/project-website
   
   # Set ACL permissions
   set principal ACL for project-website-service
       allow jcr:read,jcr:write,jcr:modifyProperties,jcr:addChildNodes,jcr:removeNode,jcr:removeChildNodes on /content/dam/projectwebsite/customer
       allow jcr:read on /content/dam/projectwebsite
   end
"]

ServiceUserMapperImpl code below

org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~projectwebsite.cfg.json

{
"user.mapping": [
"aem-project-website.core:resource=[project-website-service]"
]
}

When trying to use the service user, I receive the following error in the AEM logs:

org.apache.sling.api.resource.LoginException: Cannot derive user name for bundle aem-caat-website.core [620] and sub service resource

I am using AEM as a Cloud Service for this project.
The issue is occurring on my local AEM instance, not in the Cloud environment.
I checked the user in localhost:4502/crx/expolorer did not see the user there under system/cq:services/project-website

SantoshSai · 6/23/25

Hi @georhe6,

There are 2 things coming in my mind at the moment:

The service user project-website-service has not been created in your local instance, because the RepositoryInitializer config hasn't executed properly locally.
The user.mapping in your OSGi config is pointing to the wrong bundle symbolic name, or it hasn't been deployed to your local SDK correctly.

1. Check and Fix the `RepositoryInitializer` Config

Your repoinit config seems fine:

create service user project-website-service with forced path system/cq:services/project-website

set principal ACL for project-website-service
    allow jcr:read,jcr:write,jcr:modifyProperties,jcr:addChildNodes,jcr:removeNode,jcr:removeChildNodes on /content/dam/projectwebsite/customer
    allow jcr:read on /content/dam/projectwebsite
end

But you must ensure it's part of your ui.config or ui.apps and deployed correctly.

Check:

File: ui.config/src/main/content/jcr_root/apps/project-website/osgiconfig/config/ or config.author/
Filename: org.apache.sling.jcr.repoinit.RepositoryInitializer~projectwebsite-readcf.config

But! Local SDK might not execute repo init if the config is not deployed properly or not picked up at startup.

Fix: Trigger a redeploy or restart with the repo init config correctly placed.

2. Confirm Service User Mapping is Correct

You have this:

{
  "user.mapping": [
    "aem-project-website.core:resource=[project-website-service]"
  ]
}

Make sure that:

The bundle symbolic name aem-project-website.core matches the actual bundle name
You can find the bundle symbolic name by:
- Opening: http://localhost:4502/system/console/bundles
- Finding your core bundle and verifying its Symbolic Name

If it's different (e.g., com.mycompany.project.core), update your config accordingly.

Example (corrected):

{
  "user.mapping": [
    "com.mycompany.project.core:resource=[project-website-service]"
  ]
}

Also ensure this OSGi config is deployed to ui.config/.../config.author/ as:

org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~projectwebsite.cfg.json

3. Verify Service User Exists Locally

Check if the user was created at:

/home/users/system/cq:services/project-website/project-website-service

Go to: http://localhost:4502/crx/explorer
Navigate to: /home/users/system/cq:services/project-website/
If not there: your repoinit hasn't run → recheck config and trigger a full redeploy.

At the end, you can try wiping your local repo state (if it’s just a dev environment):

Then restart the local AEM SDK with java -jar aem-author-p4502.jar so it picks up all OSGi/config/init again from scratch.

Alternatively, do a full Maven build and deploy again.

Santosh Sai

View solution in original post

SantoshSai · 6/23/25

Hi @georhe6,

There are 2 things coming in my mind at the moment:

The service user project-website-service has not been created in your local instance, because the RepositoryInitializer config hasn't executed properly locally.
The user.mapping in your OSGi config is pointing to the wrong bundle symbolic name, or it hasn't been deployed to your local SDK correctly.

1. Check and Fix the `RepositoryInitializer` Config

Your repoinit config seems fine:

create service user project-website-service with forced path system/cq:services/project-website

set principal ACL for project-website-service
    allow jcr:read,jcr:write,jcr:modifyProperties,jcr:addChildNodes,jcr:removeNode,jcr:removeChildNodes on /content/dam/projectwebsite/customer
    allow jcr:read on /content/dam/projectwebsite
end

But you must ensure it's part of your ui.config or ui.apps and deployed correctly.

Check:

File: ui.config/src/main/content/jcr_root/apps/project-website/osgiconfig/config/ or config.author/
Filename: org.apache.sling.jcr.repoinit.RepositoryInitializer~projectwebsite-readcf.config

But! Local SDK might not execute repo init if the config is not deployed properly or not picked up at startup.

Fix: Trigger a redeploy or restart with the repo init config correctly placed.

2. Confirm Service User Mapping is Correct

You have this:

{
  "user.mapping": [
    "aem-project-website.core:resource=[project-website-service]"
  ]
}

Make sure that:

The bundle symbolic name aem-project-website.core matches the actual bundle name
You can find the bundle symbolic name by:
- Opening: http://localhost:4502/system/console/bundles
- Finding your core bundle and verifying its Symbolic Name

If it's different (e.g., com.mycompany.project.core), update your config accordingly.

Example (corrected):

{
  "user.mapping": [
    "com.mycompany.project.core:resource=[project-website-service]"
  ]
}

Also ensure this OSGi config is deployed to ui.config/.../config.author/ as:

org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~projectwebsite.cfg.json

3. Verify Service User Exists Locally

Check if the user was created at:

/home/users/system/cq:services/project-website/project-website-service

Go to: http://localhost:4502/crx/explorer
Navigate to: /home/users/system/cq:services/project-website/
If not there: your repoinit hasn't run → recheck config and trigger a full redeploy.

At the end, you can try wiping your local repo state (if it’s just a dev environment):

Then restart the local AEM SDK with java -jar aem-author-p4502.jar so it picks up all OSGi/config/init again from scratch.

Alternatively, do a full Maven build and deploy again.

Santosh Sai

AmitVishwakarma · 6/24/25

Hi @georhe6 ,

Root Causes:

- The service user was not created due to RepoInit not being executed.

- The bundle symbolic name in user mapping is incorrect or not deployed properly.

OSGi configs not deployed correctly to config.author.

Try below solution:

1. Fix and Validate RepositoryInitializer Configuration

Make sure your RepositoryInitializer config is placed correctly under:

ui.config/src/main/content/jcr_root/apps/project-website/osgiconfig/config.author/

File name:

org.apache.sling.jcr.repoinit.RepositoryInitializer~projectwebsite-readcf.config

Content:

scripts = [
"
create service user project-website-service with forced path system/cq:services/project-website

set principal ACL for project-website-service
    allow jcr:read,jcr:write,jcr:modifyProperties,jcr:addChildNodes,jcr:removeNode,jcr:removeChildNodes on /content/dam/projectwebsite/customer
    allow jcr:read on /content/dam/projectwebsite
end
"
]

Redeploy Config

Run a clean build and deploy

2. Verify Service User Was Created

Check in CRX Explorer:

- Go to: http://localhost:4502/crx/explorer

- Navigate to:

/home/users/system/cq:services/project-website/project-website-service

If the user is not there, your repo init didn’t run. In that case:

- Delete the crx-quickstart directory to reset the repo (local dev only!)

- Restart the SDK with:

java -jar aem-author-p4502.jar

3. Fix and Verify Service User Mapping
Key thing to fix: You MUST use the correct bundle symbolic name.
Find Your Bundle Symbolic Name
Go to:
- http://localhost:4502/system/console/bundles
- Find your bundle (e.g., core) and note the exact value of "Symbolic Name".
Suppose the symbolic name is:
- com.ranosys.projectwebsite.core
Use Correct Mapping File

Place in:

ui.config/src/main/content/jcr_root/apps/project-website/osgiconfig/config.author/

File name:

org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~projectwebsite.cfg.json

Content:

{
  "user.mapping": [
    "com.ranosys.projectwebsite.core:resource=[project-website-service]"
  ]
}

Deploy with Maven

4. ResourceResolver Utility
Your code is almost fine, just ensure you match subservice name correctly.

public final class ResolverUtil {

    private ResolverUtil() {
    }

    public static final String PROJECT_SERVICE_USER = "resource";

    public static ResourceResolver newResolver(ResourceResolverFactory resourceResolverFactory) throws LoginException {
        Map<String, Object> paramMap = new HashMap<>();
        paramMap.put(ResourceResolverFactory.SUBSERVICE, PROJECT_SERVICE_USER);
        return resourceResolverFactory.getServiceResourceResolver(paramMap);
    }
}

5. Logging and Debug

If it still fails, enable debug logs for service user mapping:

- Go to: /system/console/slinglog

- Add logger for:
- org.apache.sling.serviceusermapping.impl
- Set level: DEBUG

Check logs again for clues.

Regards,
Amit

Adobe Experience Manager Sites & More

Issue with System User Configuration in AEM as a Cloud Service

1. Check and Fix the `RepositoryInitializer` Config

2. Confirm Service User Mapping is Correct

3. Verify Service User Exists Locally

Santosh Sai

1. Check and Fix the `RepositoryInitializer` Config

2. Confirm Service User Mapping is Correct

3. Verify Service User Exists Locally

Santosh Sai

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe

Adobe Experience Manager Sites & More

Issue with System User Configuration in AEM as a Cloud Service

1. Check and Fix the RepositoryInitializer Config

2. Confirm Service User Mapping is Correct

3. Verify Service User Exists Locally

Santosh Sai

1. Check and Fix the RepositoryInitializer Config

2. Confirm Service User Mapping is Correct

3. Verify Service User Exists Locally

Santosh Sai

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe

1. Check and Fix the `RepositoryInitializer` Config

1. Check and Fix the `RepositoryInitializer` Config