AccessDeniedException when i'm creating Group and User in aem 6.2 (6.1) programmatically?

Question

I want to create Group first and then User and then i want to add user to group using getServiceResourceResolver(map) or loginService("datawrite",null).

I tried following code and i'm getting exception at the time of session save (adminSession.save()):

    public void addGroupUser(SlingHttpServletRequest request) {
        log.info("----------------------------------------> addGroupUser");
        String groupName = request.getParameter("groupName");
        String userName = request.getParameter("userName");
        String password = request.getParameter("password");

        Session adminSession = null;
        ResourceResolver adminResolver = null;
        try {
            Map<String, Object> authInfoParam = new HashMap<String, Object>();
            authInfoParam.put(ResourceResolverFactory.SUBSERVICE, "datawrite");
            adminResolver = resolverFactory.getServiceResourceResolver(authInfoParam);
            //adminResolver = resolverFactory.getAdministrativeResourceResolver(null); //deprecated method
            adminSession = slingRepository.loginService("datawrite", null);
            log.info("----------------------------------------> Session user id = {}",adminSession.getUserID());

            // Create UserManager Object
            final UserManager userManager = AccessControlUtil.getUserManager(adminSession);

            // Create a Group
            Group group= null;
            if (userManager.getAuthorizable(groupName) == null) {
                //adminResolver.refresh();
                group = userManager.createGroup(groupName,new SimplePrincipal(groupName),"/home/groups/test");

                ValueFactory valueFactory = adminSession.getValueFactory();
                Value groupNameValue = valueFactory.createValue(groupName, PropertyType.STRING);
                group.setProperty("./profile/givenName", groupNameValue);
                //adminResolver.commit();
                log.info("----------------------------------------> {} Group successfully created.",group.getID());
            } else {
                log.info("----------------------------------------> Group already exist..");
            }

            // Create a User
            User user = null;
            if (userManager.getAuthorizable(userName) == null) {
                //adminResolver.refresh();
                user=userManager.createUser(userName, password,new SimplePrincipal(userName),"/home/users/test");

                ValueFactory valueFactory = adminSession.getValueFactory();
                Value firstNameValue = valueFactory.createValue("Arpit", PropertyType.STRING);
                user.setProperty("./profile/givenName", firstNameValue);

                Value lastNameValue = valueFactory.createValue("Bora", PropertyType.STRING);
                user.setProperty("./profile/familyName", lastNameValue);

                Value emailValue = valueFactory.createValue("[email protected]", PropertyType.STRING);
                user.setProperty("./profile/email", emailValue);
                //adminResolver.commit();
                log.info("----------------------------------------> {} User successfully created.",user.getID());
            } else {
                log.info("----------------------------------------> User already exist..");
            }

            // Add Users to Group
            Group addUserToGroup = (Group)(userManager.getAuthorizable(groupName));
            addUserToGroup.addMember(userManager.getAuthorizable(userName));
            adminSession.save();

        }catch (Exception e) {
            log.info("----------------------------------------> Not able to perform User Management..");
            log.info("----------------------------------------> Exception.." + e.getMessage());
        } finally {
            if (adminSession != null && adminSession.isLive()) {
                adminSession.logout();
            }
            if (adminResolver != null)
                adminResolver.close();
        }
    }

Exception log is:

    javax.jcr.AccessDeniedException: OakAccess0000: Access denied
    at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
    at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:419)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:416)
    ...
Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied
    at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.checkPermissions(PermissionValidator.java:212)
    at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.childNodeAdded(PermissionValidator.java:150)
    at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104)
    at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104)
    at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104)
    at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:32)
    at org.apache.jackrabbit.oak.spi.commit.CompositeEditor.childNodeAdded(CompositeEditor.java:108)
    ...

I have "datawrite" service mapping with system user in “Apache Sling Service User Mapper Service” which is configurable in the OSGI configuration admin interface.

Answer 1

Code works now - its a permission issue. I Added "datawrite" system user to the administrators group:

This way - the OAK exception does not occur and the system user can create Group and User in AEM 6.2/6.1.