2 files changed, 10 insertions, 2 deletions
diff --git a/ydb/library/aclib/aclib.cpp b/ydb/library/aclib/aclib.cpp
index 8f8f216da2..c7e95b4215 100644
--- a/ydb/library/aclib/aclib.cpp
+++ b/ydb/library/aclib/aclib.cpp
@@ -125,6 +125,10 @@ void TUserToken::AddGroupSID(const TSID& groupSID) {
     bucket.AddValues(groupSID);
 }
 
+bool TUserToken::IsSystemUser() const {
+    return GetUserSID().EndsWith("@" BUILTIN_SYSTEM_DOMAIN);
+}
+
 TSecurityObject::TSecurityObject(const NACLibProto::TSecurityObject& protoSecObj, bool isContainer)
     : NACLibProto::TSecurityObject(protoSecObj)
     , IsContainer(isContainer)
@@ -137,6 +141,9 @@ TSecurityObject::TSecurityObject(const TSID& owner, bool isContainer)
 }
 
 ui32 TSecurityObject::GetEffectiveAccessRights(const TUserToken& user) const {
+    if (user.IsSystemUser()) {
+        return EAccessRights::GenericFull; // the system always has access
+    }
     if (HasOwnerSID() && user.IsExist(GetOwnerSID()))
         return EAccessRights::GenericFull; // the owner always has access
     ui32 deniedAccessRights = EAccessRights::NoAccess;
@@ -161,8 +168,8 @@ ui32 TSecurityObject::GetEffectiveAccessRights(const TUserToken& user) const {
 }
 
 bool TSecurityObject::CheckAccess(ui32 access, const TUserToken& user) const {
-    if (user.GetUserSID().EndsWith("@" BUILTIN_SYSTEM_DOMAIN)) {
-        return true;
+    if (user.IsSystemUser()) {
+        return true; // the system alway has access
     }
     if (HasOwnerSID() && user.IsExist(GetOwnerSID()))
         return true; // the owner always has access
diff --git a/ydb/library/aclib/aclib.h b/ydb/library/aclib/aclib.h
index 0cd4ed9793..d82ebbb80b 100644
--- a/ydb/library/aclib/aclib.h
+++ b/ydb/library/aclib/aclib.h
@@ -91,6 +91,7 @@ public:
     TString GetOriginalUserToken() const;
     TString SerializeAsString() const;
     void AddGroupSID(const TSID& groupSID);
+    bool IsSystemUser() const;
 
     using NACLibProto::TUserToken::ShortDebugString;