'members' property is not working with AEM groups created via Default Sync Handler?

[Promathia]

Prehistory:

AEMaaCS - latest version.
AC Tool - latest version.
In general AC Tool works fine and installs groups to AEMaaCS in 2 phases (as per docs).

Context (group names changed due to NDA):

We have a business group config in AC Tool .yaml script (for example):

- en-editors:  
      - name: "EN Editors"  
      isMemberOf: content-managers  
      path: /home/groups/customer

This group has ACLs for some paths under '/content/...', '/conf/...' and '/etc/...'.

For that group we have one in Adobe IMS:
'IMS en-editors'
After "Apache Jackrabbit Oak Default Sync Handler" syncs groups to AEMaaCS Author service, we link those 2 groups together (for ACL inheritance), so 'IMS en-editors' is made a member of 'en-editors'.
Note: 'IMS en-editors' was not added to AC Tool. But it definitely exists on AEMaaCS Author service before a next build

When we change something in AC tool .yaml scripts - it recreates the groups (since the hash changed) and upon groups recreation - the linking above is missed ('IMS en-editors' is not member of 'en-editors' any more).

So to mitigate this we tried to add 'IMS en-editors' group to 'members' property of 'en-editors' in .yaml script.
As per documentation :

...Also choosing one approach makes the config files consistent. members should therefore only be used in special cases where it is not possible to use isMemberOf, e.g. to push rights to a group that is not in the configuration and hence that group can not be annotated with isMemberOf

Updated group config example looks like this after the change:

- en-editors:
    - name: "EN Editors"
      isMemberOf: content-managers
      members: IMS en-editors
      path: /home/groups/customer

Problem description:

Once 'members: IMS en-editors' added to config, AC Tool fails on both steps with the following errors:
Step startup_hook_image_build:

15:20:09.267: ERROR: Could not process yaml files / e=biz.netcentric.cq.tools.actool.authorizableinstaller.AuthorizableCreatorException: java.lang.IllegalStateException: Member IMS en-editors does not exist and cannot be added as external member to group en-editors
Execution time: 0 ms
Success: false

Step startup_hook:

15:32:55.779: ERROR: Could not process yaml files / e=javax.jcr.nodetype.ConstraintViolationException: org.apache.jackrabbit.oak.spi.state.ReadyOnlyBuilderException: This builder is read-only.
Execution time: 0 ms
Success: false

Once I delete 'members: IMS en-editors' property from .yaml config - AC Tool successfully installs scripts in 2 phases again.

Question:

Can you please suggest, how can we maintain the linkage of the IMS and AEM groups while using AC Tool ('IMS en-editors' is a member of 'en-editors')?

Some ideas and notes:

Looking into code I could not find why it is not working, 'member'-s processing is pretty much straightforward

Authorizable memberGroup = userManager.getAuthorizable(member);
if (memberGroup == null) {
    throw new IllegalStateException(
            "Member " + member + " does not exist and cannot be added as external member to group "
                    + authorizableConfigBean.getAuthorizableId());
}
installedGroup.addMember(memberGroup);
installLog.addVerboseMessage(LOG,
        "Adding " + member + " as external member to group " + authorizableConfigBean.getAuthorizableId());

My assymption is that upon 'startup_hook_image_build' phase the composite node store is not connected, and the users/groups can not be seen at all, but still I can not understand why 'startup_hook' phase fails with an error as if it tries to write under apps/libs.

Just to proof 'IMS en-editors' group existence, if I run a simple groovy, it finds the group as expected and everything seems to be ok.

Regards,
Ivan

[Promathia]

Colleagues, does anyone have any ideas on the issue description above?

[ghenzler]

@Promathia Have you tried the approach as outlined in #694 (comment) / attached zip https://github.com/Netcentric/accesscontroltool/files/14917287/link-ims-groups-with-actool-example.zip ?

you state the error Member IMS en-editors does not exist and cannot be added as external member to group en-editors is the problem during the image build, if you put the link group in a folder ala ims-link-group.author.dev, it will only be executed during second run (as the runmode dev is not set during image build)

[Promathia]

Hi @ghenzler , thank you so much for addressing this, I'll try it today, seems like it should work, although I have a couple of doubts. But anyway, I'll try and let you know.

Regards,
Ivan

[Promathia]

Hello colleagues!
@ghenzler, as you suggested I put my configs into run-mode folder, as follows (we have same configs for all 3 envs):

after deploy to AEMaaCS I see the following picture (no configs were applied):

The startup_hook error message looks like this:

So seems like, due to runmode presence - image build phase was skipped. But in my initial message I stated, that both 2 phases produce errors. And this happens only when I add 'members' config for some groups.
The project has a couple of custom admin tools and therefore some groups have ACE configurations under /apps.... And on startup it can not write to immutable areas of repo... (this is my assumption)

Could you please give any feedback? Maybe this was already given a thought or discussed?
I appriciate your help very much!

Regards,
Ivan