CQ5.2.1 to CQ5.3 Upgrade: default ACLs for default groups on /home incorrect


After upgrading a CQ5.2.1 authoring instance to 5.3, members of the user-administrators group cannot administer users and groups anymore


The default ACL setup for the /home branch where users and groups are stored has been simplified with CQ5.3. The upgrade mechanism from CQ5.2.1 to CQ5.3 does not take this into account, leaving an inconsistent ACL setup which basically renders the user-administration capabilities of the user-administrators group ineffective.


Attached to this article is a CQ5 content package containing a script which restores the ability to administer users/groups for members of the default user-administrators group.

Make sure to have a backup of the upgraded instance before applying the following steps:

  • after successful upgrade, all users/groups are kept in backup folders
    • /home/users-xxxxxx
    • /home/groups-yyyyyy
  • via the CRX Content Explorer, delete these 2 backup folders and save
  • upload and install the attached package using the CQ5 package manager
  • under Tools, double-click on Fix /home ACL setup or manually request http://<host>:<port>/etc/fix_home_setup.html
  • start the procedure

Applies to

CQ5.3 Upgrade