diff --git a/changelog/unreleased/eos-file-perms.md b/changelog/unreleased/eos-file-perms.md
new file mode 100644
index 00000000000..0e5286e3b3f
--- /dev/null
+++ b/changelog/unreleased/eos-file-perms.md
@@ -0,0 +1,3 @@
+Bugfix: Merge user ACLs from EOS to sys ACLs
+
+https://github.com/cs3org/reva/pull/2247
\ No newline at end of file
diff --git a/pkg/cbox/storage/eoswrapper/eoswrapper.go b/pkg/cbox/storage/eoswrapper/eoswrapper.go
index c9e805d8a5a..b737ed4d357 100644
--- a/pkg/cbox/storage/eoswrapper/eoswrapper.go
+++ b/pkg/cbox/storage/eoswrapper/eoswrapper.go
@@ -149,10 +149,10 @@ func (w *wrapper) getMountID(ctx context.Context, r *provider.ResourceInfo) stri
 
 func (w *wrapper) setProjectSharingPermissions(ctx context.Context, r *provider.ResourceInfo) error {
 	// Check if this storage provider corresponds to a project spaces instance
-	if strings.HasPrefix(w.conf.Namespace, eosProjectsNamespace) {
+	if strings.HasPrefix(r.Path, eosProjectsNamespace) {
 
 		// Extract project name from the path resembling /c/cernbox or /c/cernbox/minutes/..
-		parts := strings.SplitN(r.Path, "/", 4)
+		parts := strings.SplitN(strings.TrimPrefix(r.Path, eosProjectsNamespace), "/", 4)
 		if len(parts) != 4 && len(parts) != 3 {
 			return errtypes.BadRequest("eoswrapper: path does not follow the allowed format")
 		}
diff --git a/pkg/eosclient/eosbinary/eosbinary.go b/pkg/eosclient/eosbinary/eosbinary.go
index 539a961fc0e..7f04637f3f7 100644
--- a/pkg/eosclient/eosbinary/eosbinary.go
+++ b/pkg/eosclient/eosbinary/eosbinary.go
@@ -45,6 +45,7 @@ import (
 const (
 	versionPrefix  = ".sys.v#."
 	lwShareAttrKey = "reva.lwshare"
+	userACLEvalKey = "eval.useracl"
 )
 
 const (
@@ -296,7 +297,7 @@ func (c *Client) AddACL(ctx context.Context, auth, rootAuth eosclient.Authorizat
 
 	if a.Type == acl.TypeLightweight {
 		sysACL := ""
-		aclStr, ok := finfo.Attrs[lwShareAttrKey]
+		aclStr, ok := finfo.Attrs["sys."+lwShareAttrKey]
 		if ok {
 			acls, err := acl.Parse(aclStr, acl.ShortTextForm)
 			if err != nil {
@@ -330,7 +331,7 @@ func (c *Client) AddACL(ctx context.Context, auth, rootAuth eosclient.Authorizat
 		args = append(args, "--user")
 		userACLAttr := &eosclient.Attribute{
 			Type: SystemAttr,
-			Key:  "eval.useracl",
+			Key:  userACLEvalKey,
 			Val:  "1",
 		}
 		if err = c.SetAttr(ctx, auth, userACLAttr, false, path); err != nil {
@@ -360,7 +361,7 @@ func (c *Client) RemoveACL(ctx context.Context, auth, rootAuth eosclient.Authori
 
 	if a.Type == acl.TypeLightweight {
 		sysACL := ""
-		aclStr, ok := finfo.Attrs[lwShareAttrKey]
+		aclStr, ok := finfo.Attrs["sys."+lwShareAttrKey]
 		if ok {
 			acls, err := acl.Parse(aclStr, acl.ShortTextForm)
 			if err != nil {
@@ -1090,8 +1091,25 @@ func (c *Client) mapToFileInfo(kv, attrs map[string]string) (*eosclient.FileInfo
 	if err != nil {
 		return nil, err
 	}
-	lwACLStr, ok := attrs[lwShareAttrKey]
-	if ok {
+
+	// Read user ACLs if sys.eval.useracl is set
+	if userACLEval, ok := attrs["sys."+userACLEvalKey]; ok && userACLEval == "1" {
+		if userACL, ok := attrs["user.acl"]; ok {
+			userAcls, err := acl.Parse(userACL, acl.ShortTextForm)
+			if err != nil {
+				return nil, err
+			}
+			for _, e := range userAcls.Entries {
+				err = sysACL.SetEntry(e.Type, e.Qualifier, e.Permissions)
+				if err != nil {
+					return nil, err
+				}
+			}
+		}
+	}
+
+	// Read lightweight ACLs recognized by the sys.reva.lwshare attr
+	if lwACLStr, ok := attrs["sys."+lwShareAttrKey]; ok {
 		lwAcls, err := acl.Parse(lwACLStr, acl.ShortTextForm)
 		if err != nil {
 			return nil, err