diff --git a/src/box/alter.cc b/src/box/alter.cc
index 284de989abb86714a11dd437148b20cd767bab40..3145e879bd78786d61150fc528b6ea5e70597ec5 100644
--- a/src/box/alter.cc
+++ b/src/box/alter.cc
@@ -1321,6 +1321,17 @@ func_def_create_from_tuple(struct func_def *func, struct tuple *tuple)
 {
 	func->fid = tuple_field_u32(tuple, ID);
 	func->uid = tuple_field_u32(tuple, UID);
+	/*
+	 * Do not initialize the privilege cache right away since
+	 * when loading up a function definition during recovery,
+	 * user cache may not be filled up yet (space _user is
+	 * recovered after space _func), so no user cache entry
+	 * may exist yet for such user.  The cache will be filled
+	 * up on demand upon first access.
+	 *
+	 * Later on consistency of the cache is ensured by DDL
+	 * checks (see user_has_data()).
+	 */
 	func->auth_token = BOX_USER_MAX; /* invalid value */
 	func->setuid = false;
 	const char *name = tuple_field_cstr(tuple, NAME);
diff --git a/src/box/lua/call.cc b/src/box/lua/call.cc
index e2cc4e5c6a024ebd386363d67ea19f92d8890fdf..fbca7f10f0e4817dcfc6e060725682c569682674 100644
--- a/src/box/lua/call.cc
+++ b/src/box/lua/call.cc
@@ -523,7 +523,12 @@ SetuidGuard::SetuidGuard(const char *name, uint32_t name_len,
 	if (func->setuid) {
 		/** Remember and change the current user id. */
 		if (unlikely(func->auth_token >= BOX_USER_MAX)) {
-			/* Optimization: cache auth_token on first access */
+			/*
+			 * Fill the cache upon first access, since
+			 * when func_def is created, no user may
+			 * be around to fill it (recovery of
+			 * system spaces from a snapshot).
+			 */
 			struct user_def *owner = user_by_id(func->uid);
 			assert(owner != NULL); /* checked by user_has_data() */
 			func->auth_token = owner->auth_token;