#
#  Licensed to the Apache Software Foundation (ASF) under one
#  or more contributor license agreements.  See the NOTICE file
#  distributed with this work for additional information
#  regarding copyright ownership.  The ASF licenses this file
#  to you under the Apache License, Version 2.0 (the
#  "License"); you may not use this file except in compliance
#  with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing,
#  software distributed under the License is distributed on an
#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
#  KIND, either express or implied.  See the License for the
#  specific language governing permissions and limitations
#  under the License.
#

# general
create path (sling:OrderedFolder) /content
set ACL for everyone
    allow   jcr:read   on /content
end

# sling-readall
create service user sling-readall with path system/sling

set principal ACL for sling-readall
    allow   jcr:read    on /
end

# sling-xss
create service user sling-xss with path system/sling

create path (sling:Folder) /apps/sling/xss

set principal ACL for sling-xss
    allow   jcr:read    on /apps/sling/xss
end

# sling-jcr-install
create service user sling-jcr-install with path system/sling

# used for config OSGi writeback
create path (sling:Folder) /apps/sling/install

set principal ACL for sling-jcr-install
    allow    rep:write    on /apps/sling/install
end

# content-package installer
create service user sling-package-install with path system/sling

set principal ACL for sling-package-install
    allow   jcr:all     on    /
    allow   jcr:namespaceManagement,jcr:nodeTypeDefinitionManagement on :repository
end
#<<< SLING-5848 - Define service user and ACLs for Scripting
create service user sling-search-path-reader with path system/sling

create path (sling:Folder) /libs
create path (sling:Folder) /apps

set principal ACL for sling-search-path-reader
    allow   jcr:read    on /libs,/apps
end
# SLING-5848 - Define service user and ACLs for Scripting >>>
#<<< SLING-9735 - Define service user and ACLs for jcr.contentloader
create service user sling-jcr-content-loader with path system/sling
set principal ACL for sling-jcr-content-loader
    allow jcr:all on /
end
# SLING-9735 - Define service user and ACLs for jcr.contentloader >>>
#<<< SLING-9809 - Define service user and ACLs for jcr.usermanager
create service user sling-jcr-usermanager with path system/sling
set principal ACL for sling-jcr-usermanager
    allow jcr:read,jcr:readAccessControl,jcr:modifyAccessControl,rep:write,rep:userManagement on /home
end
# SLING-9809 - Define service user and ACLs for jcr.usermanager >>>

# SLING-10597 - Simplify setup of resource resolution mappings
create path (sling:Folder) /etc/map
create path (sling:Folder) /etc/map/http