I am trying to create a user with the rights to upload and install content packages on a CQ publish instance and I do not wish to use the admin user. Simply adding a new user to the administrators group does not seem to be enough.
I tried adding a rep:GrantACE node through crx de/explorer but it reported the node as locked. I was able to upload a content package that removed the rep:DenyACE jcr:read for everyone, but this is not safe it seems.
Is there some special privilege that I need to add to my user/group that will allow them to access the /etc/packages tree or do I just need to add some permission somewhere within the tree.
It seems that the admin account always works in these scenarios as it has special privileges in the CRX security system; admin can do anything it likes.
Instead of creating the rep:GrantACE nodes directly, I was able to add a new ACL entry for the administrators group to /etc/packages via the Access Control Editor (http://localhost:4502/crx/explorer/ui/aceditor.jsp?ck=1373027669916&Name=acEditor&Path=%2F etc%2Fpackages&_charset_=utf-8).
Strangely, the administrators account already had some inherited rights on this directory that were overridden by the deny|everyone|jcr:read ACL entry on /etc/packages node. Adding allow:administrators|jcr:read gives any member of that group access to read and write to the /etc/packages. directory.
Now that I have setup this user we can setup a deploy step in out CI build that does not rely on using the admin account.