X509 certificates are currently (Nov. 21) the most common method to authenticate against Rucio. However, certificates are only used for authentication, not authorization, and cannot be grouped (as needed to authorize file access to comply with a possible data embargo). In addition, it must be ensured that access permissions to a file are considered regardless of the access method (via Rucio, native methods, NFS, etc.).
At the lowest level, Rucio accesses files via dCache. Therefore, to ensure protocol independence, it is easiest to include access restrictions at this level, as all higher-level protocols (including Rucio) will be subject to them.
For this purpose, all dCache nodes map each certificate to exactly one Posix UID, which can be combined into groups. Access rights to a file are thus ultimately reduced to ordinary Posix file access rights. Open, freely accessible files have read access for everyone, while files that are still subject to an embargo, for example, can only be read by a particular group.