Clarify underlying JCR session in documentation

[kwin]

For each of the execution possibilities the underlying JCR session/resource resolver should be clarified. I guess this is

1. Startup hook: service resolver (which one, which permissions by default?)
2. Install hook: service resolver (which one, which permissions by default?)
3. Manual execution: requests based resolver (bound to the user session)

[kwin]

Particularly it is not clear when which of the three service users from

aem-easy-content-upgrade/complete/src/main/content/jcr_root/apps/valtech/aecu-complete/config/org.apache.sling.jcr.repoinit.RepositoryInitializer~setacls.config

Lines 14 to 24 in c5bce3e

	set ACL for aecu-content-migrator
	allow jcr:all on /apps,/conf,/content,/etc,/home,/var
	allow jcr:read on /
	end
	set ACL for aecu-admin
	allow jcr:all on /
	end
	set ACL for aecu-service
	allow jcr:read on /
	allow jcr:all on /var/aecu
	end

are used from where.

[nhirrle]

Hi @kwin
First of all sorry for the late answer.
You are right, there are some improvements to do not only on the documentation side but also implementation side.
For the startup hook more permissions are required so the aecu-admin is used. For the manual execution within groovy indeed the user session should be used but it is not right now the case and instead a service user is used.
There is also protection on the Groovyconsole itself, usually a user with administration rights is able to execute groovyscripts only ( see https://github.com/orbinson/aem-groovy-console#osgi-configuration / Script Execution Allowed Groups).
Best, Nicolas