# Removal of individual access control entries (see SLING-11160), requires
# o.a.s.repoinit.parser 1.6.14 and
# o.a.s.jcr.repoinit 1.1.38

# remove entries by path

remove ACE on /libs,/apps, /, /content/example.com/some-other_path
    allow jcr:read for user1,user2
    allow privilege_without_namespace for user4
    deny jcr:write,something:else,another:one for user2
    deny jcr:lockManagement for user1
    deny jcr:modifyProperties for user2 restriction(rep:itemNames,prop1,prop2)
end

# remove entries by principal

remove ACE for user1,u2
    allow jcr:read on /content
    allow jcr:addChildNodes, jcr:modifyProperties on /content restriction(rep:glob)
    deny jcr:read on /etc, /var restriction(rep:ntNames,sling:Folder,nt:unstructured) restriction(rep:itemNames,prop1,prop2)
end

# remove principal-based entries

remove principal ACE for principal1,principal2
    allow jcr:read on /content
    deny jcr:modifyProperties on /apps, /content restriction(rep:itemNames,prop1,prop2)
    allow jcr:addChildNodes on /apps restriction(rep:ntNames,sling:Folder,nt:unstructured)
    allow jcr:modifyProperties on /apps restriction(rep:ntNames,sling:Folder,nt:unstructured) restriction(rep:itemNames,prop1,prop2)
    allow jcr:addChildNodes on /apps,/content restriction(rep:glob,/cat,/cat/,cat)
    allow jcr:addChildNodes on /apps,/content restriction(rep:glob,cat/,*,*cat)
    allow jcr:addChildNodes on /apps,/content restriction(rep:glob,/cat/*,*/cat,*cat/*)
    allow jcr:something on / restriction(rep:glob)
    allow jcr:all on :repository,home(alice)
end