diff --git a/exist-core/src/main/java/org/exist/xquery/functions/securitymanager/IdFunction.java b/exist-core/src/main/java/org/exist/xquery/functions/securitymanager/IdFunction.java
index 3d156836aa8..b52b280ffad 100644
--- a/exist-core/src/main/java/org/exist/xquery/functions/securitymanager/IdFunction.java
+++ b/exist-core/src/main/java/org/exist/xquery/functions/securitymanager/IdFunction.java
@@ -77,13 +77,17 @@ private org.exist.dom.memtree.DocumentImpl functionId() {
 
             builder.startElement(new QName("id", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX), null);
 
-            builder.startElement(new QName("real", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX), null);
-            subjectToXml(builder, context.getRealUser());
-            builder.endElement();
+            final Subject realUser = context.getRealUser();
+            if (realUser != null) {
+                builder.startElement(new QName("real", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX), null);
+                subjectToXml(builder, realUser);
+                builder.endElement();
+            }
 
-            if (!sameUserWithSameGroups(context.getRealUser(), context.getEffectiveUser())) {
+            final Subject effectiveUser = context.getEffectiveUser();
+            if (effectiveUser != null && (realUser == null || !sameUserWithSameGroups(realUser, effectiveUser))) {
                 builder.startElement(new QName("effective", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX), null);
-                subjectToXml(builder, context.getEffectiveUser());
+                subjectToXml(builder, effectiveUser);
                 builder.endElement();
             }