# Test the principal-based ACL syntax

set principal ACL for principal1,principal2
    remove * on /libs,/apps
    allow jcr:read on /content

    deny jcr:write on /apps

    # Optional nodetypes clause
    deny jcr:lockManagement on /apps, /content nodetypes sling:Folder, nt:unstructured
    # nodetypes clause with restriction clause
    deny jcr:modifyProperties on /apps, /content nodetypes sling:Folder, nt:unstructured restriction(rep:itemNames,prop1,prop2)
    remove jcr:understand,some:other on /apps

    # multi value restriction
    allow jcr:addChildNodes on /apps restriction(rep:ntNames,sling:Folder,nt:unstructured)

    # multiple restrictions
    allow jcr:modifyProperties on /apps restriction(rep:ntNames,sling:Folder,nt:unstructured) restriction(rep:itemNames,prop1,prop2)

    # restrictions with glob patterns
    allow jcr:addChildNodes on /apps,/content restriction(rep:glob,/cat,/cat/,cat)
    allow jcr:addChildNodes on /apps,/content restriction(rep:glob,cat/,*,*cat)
    allow jcr:addChildNodes on /apps,/content restriction(rep:glob,/cat/*,*/cat,*cat/*)

    allow jcr:something on / restriction(rep:glob)
end

# Test the principal-baesd ACL syntax with options SLING-6423

set principal ACL for principal1,principal2 (ACLOptions=mergePreserve)
    remove * on /libs,/apps
    allow jcr:read on /content
end

# with multiple options

set principal ACL for principal1,principal2 (ACLOptions=mergePreserve,someOtherOption,someOther123,namespaced:option)
    remove * on /libs,/apps
    allow jcr:read on /content
end

# repository level

set principal ACL for principal1,principal2
    allow jcr:namespaceManagement on :repository 
end

set principal ACL for principal1
    allow jcr:all on :repository,/content
end