How do I set user and group ACLs directly in CRX rather than in the CQ5 User Administration ("CQ5 Security") screen?
In CRX 2.0 / JCR 2.0 the security model changed. In the new security model, user access is defined via access control policies .
In CQ5, the user and group security model makes use of the standard repository privileges for JCR 2.0  (as defined by the
org.apache.jackrabbit.core.security.authorization.acl.ACLTemplate access control policy).
Here are some things you should know about the new security model:
denypermission on a given node then 3 scenarios are possible:
To demonstrate, here is an example: group1 and group2 have access controls set for the path
/content/geometrixx; group1 has deny read and group2 has allow read and user1 has membership to both group1 and group2 (exclusively). With this configuration then the access will be evaluated in the order as shown in the CRX Access Control Editor... dialog.
In CQ5.3 and later versions, the allow/deny rules (ACEs) shown in the "CQ5 Security" (aka "User Administration") screen do not have a one to one relationship with the actual ACEs that are set in the CRX 2.x repository. The table below shows how the access controls map from CQ5 to the CRX repository:
|read acl||read ACL||
|edit acl||modify ACL||
To edit ACEs in CRX2.0:
http://<host>:<port>/crxweb application (
http://<host>:<port>/crx/explorer in CQ5.5+)
CQ5.3, CQ5.4, CQ5.5
 http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html (see section 16.2.3 Standard Privileges)