Comments/questions on the data workflow (see slides for details):

• Users can in theory use their proxy to directly talk to the back-end and bypass restriction (but don't know how to do it)
• Depending on site configuration, there might be in fact already proper ACLs (site can know the real owner, as they have the user certificate and can map it)
• The complete isolation currently available in LHCb's VMs could be obtained in the normal grid using singularity