Expand my Community achievements bar.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now

SystemPrincipalsValidation Warning: Refactor principal to have principal-based access control setup

Avatar

Level 1
Level 1
8/23/25 5:29:33 AM

Hi All, 

 

I have warning in log file for all custom service users:

22.08.2025 19:42:19.681 [aem-author-786cd7b776-sddwr] *WARN* [JobHandler: /var/workflow/instances/server0/2025-08-22/custom-id-post-processing_1:/content/dam/assets/test.png] com.adobe.granite.repository.impl.SystemPrincipalsValidation Refactor principal 'custom-asset-service' to have principal-based access control setup.

 

I create users using yaml file:

- user_config:

    - custom-asset-service:
        - path: custom
          isSystemUser: true

- ace_config:

    - custom-asset-service:
        - path: /content/dam/assets
          permission: allow
          privileges: jcr:read

 

And my users mapping in .cfg.json:

{
  "user.mapping": [
    "aem-custom.core:id-images-service=[custom-asset-service]"
  ]
}

 

Could you please share how refactor principal to have principal-based access control setup?

 

@arunpatidar@konstantyn_diachenko@VeenaVikraman 

 

Best Regards,

Alisa

 

Views

490

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
6 Replies

Avatar

Community Advisor
Community Advisor
8/23/25 7:30:44 AM

Hi @alisa-dev ,

That warning means your custom service users are still using the old ACL-based permissions, but Adobe now requires principal-based access control (PBAC) for all system users in AEMaaCS and modern AEM 6.5 setups. In simple terms:- instead of granting permissions with classic ACLs, you should define principal-based ACLs under /home/users/system/... using the PrincipalBasedAuthorizationConfiguration. So, refactoring means updating your YAML or repo-init so that the service user’s permissions are applied as principal-based rules (e.g., set principal ACL for custom-asset-service), not by attaching node ACLs directly. This way the system user gets its rights via PBAC, the warning goes away, and your service account follows Adobe’s recommended security model.

Hrishikesh Kagane

Views

471

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
8/24/25 3:55:57 AM
In response to HrishikeshKagne

Hi @HrishikeshKagne

 

thank you for your reply!

I change path for custom system user to system/cq:services/custom:

 

- user_config:

    - custom-asset-service:
        - path: system/cq:services/custom
          isSystemUser: true

- ace_config:

    - custom-asset-service:
        - path: /content/dam/assets
          permission: allow
          privileges: jcr:read

 but in repo for my user I can not see rep:principalPolicy node with user permissions:

Screenshot 2025-08-24 134409.png

Could you please share how I need to create user config for applying right permissions?

Views

452

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
8/25/25 1:27:31 AM

Hi @alisa-dev 

Please check https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/console-error-principle-ba... 

Arun Patidar

AEM LinksLinkedIn

Views

430

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
8/31/25 5:10:55 AM
In response to arunpatidar

Hi @arunpatidar 

 

thank you for your reply!

I checked this post and I have same configuration but still see warning in log files.

Views

56

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
9/2/25 11:50:43 PM
In response to alisa-dev

Hi @alisa-dev 

Try with below

- user_config:

    - custom-asset-service:
        - path: system/cq:services/custom
          isSystemUser: true
          name: custom-asset-service

- ace_config:

    - custom-asset-service:
        - path: /content/dam/assets
          permission: allow
          privileges: jcr:read

 

Arun Patidar

AEM LinksLinkedIn

Views

31

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
9/2/25 1:58:37 AM

@arunpatidar just checking in! Were you able to get this resolved? If one of the replies above helped—whether it completely solved the issue or simply pointed you in the right direction—marking it as accepted can make it much easier for others with the same question to find a solution. And if you found a different way to fix it, sharing your approach would be a great contribution to the community. Your follow-up not only helps close the loop but also ensures others benefit from your experience. Thanks so much for being part of the conversation!



Kautuk Sahni

Views

41

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
help understand the effects of an Apache RewriteRule to the request object

Views

44

Likes

0

Replies

2
How to prevent AEM from adding meta tag "keywords"?

Views

557

Likes

0

Replies

3
is it possible to do a redirect from a Sling Model?

Views

352

Likes

0

Replies

1
How to add metadata to videos for AEM

Views

342

Likes

0

Replies

1
how to enter multivalue string in Cloud Manager config?

Views

173

Likes

0

Replies

3