today i spotted to places in AccessControlManagerImpl, where i think the principal lookup could be omitted altogether:
a) AccessControlManagerImpl.getPrincipal(Tree) : called when building policies from the content -> principal is always created even if not known.
b) Util.checkValidPrincipal(Principal, PrincipalManager, int) : in case of ImportBehavior.BESTEFFORT the result of the lookup is ignored and the lookup could in this case be omitted.
Alex Deparvu, what do you think? If you feel this is worth addressing, I would create a patch.