As of CQ 5.3, run-mode dependent default permissions can be defined with the AclSetupService that always runs during startup.
The AclSetupService allows you to specify access control entries to be created at a given path for a given principal name. In addition, it allows you to clear existing entries at a given path for a given principal name.
Because of the nature of the service, this may potentially cause issues with existing access control content.
Sample read permission given on apps to everyone group on startup.
allow;jcr:read;everyone;/apps
Config added
allow;jcr:read;intranet-site-managers;/apps
Error.log
Acl setup service permissions being applied can be seen in the logs during startup.When config is saved
18.09.2017 13:02:40.150 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.day.cq.security.ACLSetup)] com.day.cq.security.impl.ACLSetupService applying Rule{allow=true, inherit='false', privileges='[jcr:read]', principal='intranet-site-managers', path='/apps'}
18.09.2017 13:02:40.244 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.day.cq.security.ACLSetup)] com.day.cq.security.impl.ACLSetupService done.
18.09.2017 13:02:40.793 *INFO* [JcrInstaller.1] org.apache.sling.installer.provider.jcr.impl.WatchedFolder Watching folder /apps/cq/security/config.author (priority 201)
18.09.2017 13:02:41.332 *INFO* [JcrInstaller.1] org.apache.sling.installer.provider.jcr.impl.JcrInstaller Registering resource with OSGi installer: [InstallableResource, priority=201, id=/apps/cq/security/config.author/com.day.cq.security.ACLSetup.config]
On Starting you see the following logs
18.09.2017 13:09:20.456 *INFO* [FelixStartLevel] com.day.cq.security.impl.ACLSetupService applying Rule{allow=true, inherit='false', privileges='[jcr:read]', principal='intranet-site-managers', path='/apps'}
18.09.2017 13:09:20.487 *INFO* [FelixStartLevel] com.day.cq.security.impl.ACLSetupService done.