diff --git a/changelog/unreleased/eos-sys-acl-files.md b/changelog/unreleased/eos-sys-acl-files.md
new file mode 100644
index 0000000000..3836fa6830
--- /dev/null
+++ b/changelog/unreleased/eos-sys-acl-files.md
@@ -0,0 +1,3 @@
+Enhancement: Use sys ACLs for file permissions
+
+https://github.com/cs3org/reva/pull/2494
\ No newline at end of file
diff --git a/pkg/eosclient/eosbinary/eosbinary.go b/pkg/eosclient/eosbinary/eosbinary.go
index 0da98de2d6..e77bf8472b 100644
--- a/pkg/eosclient/eosbinary/eosbinary.go
+++ b/pkg/eosclient/eosbinary/eosbinary.go
@@ -45,7 +45,6 @@ import (
 const (
 	versionPrefix  = ".sys.v#."
 	lwShareAttrKey = "reva.lwshare"
-	userACLEvalKey = "eval.useracl"
 )
 
 const (
@@ -323,20 +322,9 @@ func (c *Client) AddACL(ctx context.Context, auth, rootAuth eosclient.Authorizat
 	}
 
 	sysACL := a.CitrineSerialize()
-	args := []string{"acl"}
-
+	args := []string{"acl", "--sys"}
 	if finfo.IsDir {
-		args = append(args, "--sys", "--recursive")
-	} else {
-		args = append(args, "--user")
-		userACLAttr := &eosclient.Attribute{
-			Type: SystemAttr,
-			Key:  userACLEvalKey,
-			Val:  "1",
-		}
-		if err = c.SetAttr(ctx, auth, userACLAttr, false, path); err != nil {
-			return err
-		}
+		args = append(args, "--recursive")
 	}
 
 	// set position of ACLs to add. The default is to append to the end, so no arguments will be added in this case
@@ -387,11 +375,9 @@ func (c *Client) RemoveACL(ctx context.Context, auth, rootAuth eosclient.Authori
 	}
 
 	sysACL := a.CitrineSerialize()
-	args := []string{"acl"}
+	args := []string{"acl", "--sys"}
 	if finfo.IsDir {
-		args = append(args, "--sys", "--recursive")
-	} else {
-		args = append(args, "--user")
+		args = append(args, "--recursive")
 	}
 	args = append(args, sysACL, path)
 
@@ -1121,22 +1107,6 @@ func (c *Client) mapToFileInfo(kv, attrs map[string]string) (*eosclient.FileInfo
 		return nil, err
 	}
 
-	// Read user ACLs if sys.eval.useracl is set
-	if userACLEval, ok := attrs["sys."+userACLEvalKey]; ok && userACLEval == "1" {
-		if userACL, ok := attrs["user.acl"]; ok {
-			userAcls, err := acl.Parse(userACL, acl.ShortTextForm)
-			if err != nil {
-				return nil, err
-			}
-			for _, e := range userAcls.Entries {
-				err = sysACL.SetEntry(e.Type, e.Qualifier, e.Permissions)
-				if err != nil {
-					return nil, err
-				}
-			}
-		}
-	}
-
 	// Read lightweight ACLs recognized by the sys.reva.lwshare attr
 	if lwACLStr, ok := attrs["sys."+lwShareAttrKey]; ok {
 		lwAcls, err := acl.Parse(lwACLStr, acl.ShortTextForm)
diff --git a/pkg/eosclient/eosgrpc/eosgrpc.go b/pkg/eosclient/eosgrpc/eosgrpc.go
index 8cd4c62b6a..eec5cf89af 100644
--- a/pkg/eosclient/eosgrpc/eosgrpc.go
+++ b/pkg/eosclient/eosgrpc/eosgrpc.go
@@ -49,7 +49,6 @@ import (
 const (
 	versionPrefix = ".sys.v#."
 	// lwShareAttrKey = "reva.lwshare"
-	userACLEvalKey = "eval.useracl"
 )
 
 const (
@@ -502,22 +501,6 @@ func (c *Client) fixupACLs(ctx context.Context, auth eosclient.Authorization, in
 		}
 	}
 
-	// Read user ACLs if sys.eval.useracl is set
-	if userACLEval, ok := info.Attrs["sys."+userACLEvalKey]; ok && userACLEval == "1" {
-		if userACL, ok := info.Attrs["user.acl"]; ok {
-			userAcls, err := acl.Parse(userACL, acl.ShortTextForm)
-			if err != nil {
-				return nil
-			}
-			for _, e := range userAcls.Entries {
-				err = info.SysACL.SetEntry(e.Type, e.Qualifier, e.Permissions)
-				if err != nil {
-					return nil
-				}
-			}
-		}
-	}
-
 	// We need to inherit the ACLs for the parent directory as these are not available for files
 	if !info.IsDir {
 		parentInfo, err := c.GetFileInfoByPath(ctx, auth, path.Dir(info.File))