As discussed in the "Removing loginAdministrative, how to test that, and service username conventions" thread on our dev list  we need to be able to create service users and set the corresponding ACLs from our provisioning model.
This should be implemented using distinct utility classes, one for the users and one for the ACLs, that take simple mini-languages as input. This will allow for reusing these utilities in test code for example.
Edit: high-level requirements
- HR1 - Create service users and set their ACLs as defined in the Sling instance's provisioning model.
- HR2 - Create initial paths like /var/discovery, so that ACLs can be set on them.
- HR3 - Make the full text of the ACL definitions available at runtime for auditing purposes (see Michael Marth's Dec.17 comment in
SLING-5355). Also useful for upgrades where merging with conflict detection is needed.