Clarify modification of built-in users/groups

Netcentric · Feb 21, 2025 · e2c9f75 · e2c9f75
1 parent 425fd9c
commit e2c9f75
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/docs/AdvancedFeatures.md b/docs/AdvancedFeatures.md
@@ -330,7 +330,7 @@ For common use cases which may require tweaking the default behaviour refer to t
 
 ### Configure permissions for built-in users or groups (like anonymous)
 
-To configure permissions for already existing users, it's best to create a custom group and add this user to the `members` attribute of that group. The ACEs added to the custom group will then be effective for that user as well.
+To configure permissions for already existing users/groups, it's best to create a custom group and add the built-in user/group to the `members` attribute of the AC managed group. The ACEs added to the custom group will then be effective for the built-in user/group as well.
 
 This is not an option for the [`everyone` group](https://jackrabbit.apache.org/oak/docs/security/user/default.html#Everyone_Group) as it is neither allowed to put groups/users as members to this group (because implicitly every principal is member of this group) nor to put this group as member to another group (to prevent cycles, compare with [OAK-7323](https://issues.apache.org/jira/browse/OAK-7323)).
 Also in case of using [Sling Service Authentication bound to principals](https://sling.apache.org/documentation/the-sling-engine/service-authentication.html#service-user-mappings)(available since AEM 6.4) you cannot use group memberships, as the principal mapping does not consider (transitive) group memberships. Those mappings can be identified by looking up the according `org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended` configuration instance with its `user.mapping` property. It that has the format `<service-name>[:<subservice-name>]="["<principal name>{","<principal name>}"]"` (look for square brackets) it is a principal mapping.