yes, I would enforce access control on repositories using lakeFS policies and groups. That was the Idea. So I could link each tenant repository to a storage names space. OK... But when I create different branches for different data domains for each tenant repository I probably can not assign these data domain branches across multiple tenant repositories to a user group (data domain users and services), right?