EOS permissions for CMS user directories /store/user

Hi all!

This not exactly an EOS issue, but I hope someone can help me out:
In the CMS directory hierarchy, there is /store/user which is according to the docs i can find (https://twiki.cern.ch/twiki/bin/view/CMS/DMWMPG_Namespace) meant to be for the “site local” users - the users the site supports directly. The docs are a bit vague in how this should be done “some restrictions”…
At our site T2_AT_Vienna, we’ve discovered several user subdirectories that take up significant data, that are not our direclty supported site users.

My question is: How can I set permissions on this directory, so that only “our” users can create directories or write there. In particular: my understanding is that CRAB jobs will have proxy certs or tokens that don’t allow to match individual users. How are other sites implementing this?
(We do have a report that this is setup at DESY, but there (According to the hostnames) it’s a dcache instance.

I am also aware of the /store/temp/user/ , where we’ve setup a LRU policy that will cleanup regularly.

Best to all of you and hop to see you at the workshop,
Erich