Description
the best practices at https://jackrabbit.apache.org/oak/docs/security/authentication/external/bestpractices.html should clarify how to configure oak such that access control setup for non-existing external principals is possible and link to the corresponding statements in sling repo-init.