In AEM6.1 and later versions, there are system users that are included with AEM out of the box.  The users already have ACLs created under various paths such as /apps, /libs, /etc, /var, /content. and some of the subpaths.  If ACLs are accidentally overwritten during a data migration from an older AEM version to a newer one,  they can break various features in AEM.

The /apps, /etc/clientlibs, /var/clientlibs, and /libs path ACLs are if overwritten, can break AEM:

  • Client library overlay files under /apps do not work.
  • The div tags which are generated around components do not show up
  • Other issues such as broken user interface, authentication.


The clientlibs-service user and other users are missing their access to the previously mentioned paths.


  1. Install a clean AEM instance (same version and patches as your destination upgrade instance).

  2. Follow the steps in this article to create an ACL package of the ACLs o be migrated.

  3. Install the ACL package to the instance from step 1.

  4. Following the same method as step 2, create a package containing all ACLs from the new AEM instance.

  5. Install that package to the broken environment. This will ensure that all of the out-of-the-box ACLs are restored and your custom ACLs are ordered in the list after the out-of-the-box ones.

  6. In case the service users under /home/users/system were also deleted by the migration then you can also package and migrate the system users. Create a package of /home/users/system from the fresh AEM instance.

  7. Install the package to the broken environment.