Hi Team,
We performed a code split where our skodacms module was divided into skodacms and skodadam. As part of this, the AC Tool configuration files were moved from skodacms to skodadam. The config path remains /apps/skodadam/actoolconfigs. This was done for internal feasibility between our teams.
Environment info:
AC Tool version: 4.1.0
AEM Cloud release: 2026.2.24678.20260226T154829Z
Environment: DEV2 (program p120774, env e1429169)
Activation mode: CLOUD_ONLY
Config path: /apps/skodadam/actoolconfigs
Issue Description:
After merging the code split branch with our integration branch, the AC Tool startup hook completes without error, but ACE installation silently fails. The following symptoms are observed:
- Old ACE nodes are not removed — e.g. /content/dam/models/rep:policy/allow4 persists even though it should be cleaned up
- New rep:policy nodes are never created — e.g. /content/dam/models/for_deleting/rep:policy, /content/dam/models/global/rep:policy do not exist
- New users are not created — e.g. skoda-dummy-user (Note: on the first run after config change, authorizables were installed, but on all subsequent runs nothing happens)
- obsolete_authorizables.yaml changes not reflecting — removed users and groups still exist
- Startup hook reports "successful" — Cloud Manager lifecycle step is green, no deployment failure
- Locally it works — running AC Tool manually applies all changes correctly
AEM Logs Analysis(author_aemerror_2026-05-20.log) :
On May 20 at 09:17 UTC, a new deployment triggered a full AC Tool apply (config hash changed from 391eeccaf0ce6af9e298b13966da2fcd to 4a03a08855b274118631e16da8a9efbc):
- Authorizables phase succeeded — 854 authorizables processed, 2 created, 1 moved (completed in 20.9s)
- ACE installation phase FAILED with the following exception:
*ERROR* [actool-async] biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl Exception in AceServiceImpl: {} javax.jcr.nodetype.ConstraintViolationException: org.apache.jackrabbit.oak.spi.state.ReadyOnlyBuilderException: This builder is read-only. at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator.removePolicy(...) at biz.netcentric.cq.tools.actool.helper.AccessControlUtils.deleteAllEntriesForPrincipalsFromACL(AccessControlUtils.java:202) at biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl.removeAcesForPathsNotInConfig(AcInstallationServiceImpl.java:544) at biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl.installAces(AcInstallationServiceImpl.java:658) ... Caused by: org.apache.jackrabbit.oak.spi.state.ReadyOnlyBuilderException: This builder is read-only. at org.apache.jackrabbit.oak.spi.state.ReadOnlyBuilder.remove(ReadOnlyBuilder.java:110)
- Despite the failure, the config hash (4a03a08855b274118631e16da8a9efbc) was persisted, so all subsequent startup hook executions (May 20 15:49, May 21 06:43, etc.) report:
Config files are identical to last execution, and skip the apply entirely.
AEM author error logs for reference:
author_aemerror_2026-05-20.log
author_aemerror_2026-05-21.log
AC Tool startup_hook Logs Analysis:
The run on May 20 was partially successful: authorizables were created/updated, but the ACE cleanup/installation phase failed.
09:17:51.713 *** Applying AC Tool Configuration... 09:17:51.715 Running with v4.1.0 on instance id 0d4b4a19-9c6a-4e66-ba87-7524ffba1c3d with restricted paths: [/bin, /conf, /content, /etc, /home, /oak-index, /system, /tmp, /var, ^/$, ^$] 09:18:33.062 *** Starting installation of 854 authorizables from configuration... 09:18:33.062 Retrieved existing ACLs from repository in 37.8sec using index for rep:ACL nodes 09:18:51.624 Found change of intermediate path for AEM.TEST-MAPI-USER: /home/groups/visualizer -> /home/groups/hosting 09:18:53.947 Finished installation of authorizables without errors in 20.9sec 09:18:53.947 Created 2 authorizables (moved 1 authorizables) 09:18:59.368 *ERROR* Exception in AceServiceImpl: {} — ReadOnlyBuilderException
On May 21, since the config hash remained unchanged and the previous execution was recorded (even though it errored), the tool skipped entirely.
AC Tool startup_hook logs:
startup_hook_image_build_logs_2026_05_21.rtf
startup_hook_logs_2026_05_21.rtf
startup_hook_image_build_2026_05_20.rtf
startup_hook_2026_05_20.rtf
Please advise on the recommended approach to resolve this on AEM as a Cloud Service.
Hi Team,
We performed a code split where our skodacms module was divided into skodacms and skodadam. As part of this, the AC Tool configuration files were moved from skodacms to skodadam. The config path remains /apps/skodadam/actoolconfigs. This was done for internal feasibility between our teams.
Environment info:
AC Tool version: 4.1.0
AEM Cloud release: 2026.2.24678.20260226T154829Z
Environment: DEV2 (program p120774, env e1429169)
Activation mode: CLOUD_ONLY
Config path: /apps/skodadam/actoolconfigs
Issue Description:
After merging the code split branch with our integration branch, the AC Tool startup hook completes without error, but ACE installation silently fails. The following symptoms are observed:
AEM Logs Analysis(author_aemerror_2026-05-20.log) :
On May 20 at 09:17 UTC, a new deployment triggered a full AC Tool apply (config hash changed from 391eeccaf0ce6af9e298b13966da2fcd to 4a03a08855b274118631e16da8a9efbc):
*ERROR* [actool-async] biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl Exception in AceServiceImpl: {} javax.jcr.nodetype.ConstraintViolationException: org.apache.jackrabbit.oak.spi.state.ReadyOnlyBuilderException: This builder is read-only. at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator.removePolicy(...) at biz.netcentric.cq.tools.actool.helper.AccessControlUtils.deleteAllEntriesForPrincipalsFromACL(AccessControlUtils.java:202) at biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl.removeAcesForPathsNotInConfig(AcInstallationServiceImpl.java:544) at biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl.installAces(AcInstallationServiceImpl.java:658) ... Caused by: org.apache.jackrabbit.oak.spi.state.ReadyOnlyBuilderException: This builder is read-only. at org.apache.jackrabbit.oak.spi.state.ReadOnlyBuilder.remove(ReadOnlyBuilder.java:110)Config files are identical to last execution, and skip the apply entirely.AEM author error logs for reference:
author_aemerror_2026-05-20.log
author_aemerror_2026-05-21.log
AC Tool startup_hook Logs Analysis:
The run on May 20 was partially successful: authorizables were created/updated, but the ACE cleanup/installation phase failed.
09:17:51.713 *** Applying AC Tool Configuration... 09:17:51.715 Running with v4.1.0 on instance id 0d4b4a19-9c6a-4e66-ba87-7524ffba1c3d with restricted paths: [/bin, /conf, /content, /etc, /home, /oak-index, /system, /tmp, /var, ^/$, ^$] 09:18:33.062 *** Starting installation of 854 authorizables from configuration... 09:18:33.062 Retrieved existing ACLs from repository in 37.8sec using index for rep:ACL nodes 09:18:51.624 Found change of intermediate path for AEM.TEST-MAPI-USER: /home/groups/visualizer -> /home/groups/hosting 09:18:53.947 Finished installation of authorizables without errors in 20.9sec 09:18:53.947 Created 2 authorizables (moved 1 authorizables) 09:18:59.368 *ERROR* Exception in AceServiceImpl: {} — ReadOnlyBuilderExceptionOn May 21, since the config hash remained unchanged and the previous execution was recorded (even though it errored), the tool skipped entirely.
AC Tool startup_hook logs:
startup_hook_image_build_logs_2026_05_21.rtf
startup_hook_logs_2026_05_21.rtf
startup_hook_image_build_2026_05_20.rtf
startup_hook_2026_05_20.rtf
Please advise on the recommended approach to resolve this on AEM as a Cloud Service.