gistfile1.groovy

private void clearAcl(AccessControlList acl) {
    acl.accessControlEntries.each {
        acl.removeAccessControlEntry it
    }
}

private AccessControlList findAcl(String path) {
    def acl = null
    
    getSession().getAccessControlManager().getPolicies(path).each { AccessControlPolicy policy ->
        if (policy instanceof AccessControlList) {
            acl = policy
        }
    }
    
    
    getSession().getAccessControlManager().getApplicablePolicies(path).toList().each { AccessControlPolicy policy ->
        if (policy instanceof AccessControlList) {
            acl = policy
        }
    }
    
    return acl
}

// create users and root nodes for them
User user1 = session.userManager.createUser("user1", "password1")
User user2 = session.userManager.createUser("user2", "password2")

Node user1Node = session.rootNode.addNode("user1")
Node user2Node = session.rootNode.addNode("user2")
session.save()

Privilege allPriv = session.accessControlManager.privilegeFromName("jcr:all")

// update the root acl so that only user1 and user2 are able to log into this workspace
AccessControlList rootAcl = findAcl("/")
clearAcl(rootAcl)
rootAcl.addAccessControlEntry(user1.principal, [ allPriv ] as Privilege[])
rootAcl.addAccessControlEntry(user2.principal, [ allPriv ] as Privilege[])
session.accessControlManager.setPolicy("/", rootAcl)

// revoke user2's privileges on /user1
AccessControlList user1Acl = findAcl("/user1")
clearAcl(user1Acl)
user1Acl.addEntry(user2.principal, [ allPriv ] as Privilege[], false)
session.accessControlManager.setPolicy("/user1", user1Acl)

// revoke user1's privileges on /user2
AccessControlList user2Acl = findAcl("/user2")
clearAcl(user2Acl)
user2Acl.addEntry(user1.principal, [ allPriv ] as Privilege[], false)
session.accessControlManager.setPolicy("/user2", user2Acl)

session.save()