diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
index a5db44bb5c3103a5beaa517c4ad372ce8a52a5ec..a9cbb5a19b27c083f024d184fa1a4ac9016d913a 100755
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
@@ -10,6 +10,20 @@ yum-config-manager --enable eos-citrine
 # Install missing RPMs
 yum -y install eos-client eos-server xrootd-client xrootd-debuginfo xrootd-server cta-cli cta-debuginfo
 
+# create local users as the mgm is the only one doing the uid/user/group mapping in the full infrastructure
+groupadd --gid 1100 eosusers
+groupadd --gid 1200 powerusers
+groupadd --gid 1300 ctaadmins
+groupadd --gid 1400 eosadmins
+useradd --uid 11001 --gid 1100 user1
+useradd --uid 11002 --gid 1100 user2
+useradd --uid 12001 --gid 1200 poweruser1
+useradd --uid 12002 --gid 1200 poweruser2
+useradd --uid 13001 --gid 1300 ctaadmin1
+useradd --uid 13002 --gid 1300 ctaadmin2
+useradd --uid 14001 --gid 1400 eosadmin1
+useradd --uid 14002 --gid 1400 eosadmin2
+
 # copy needed template configuration files (nice to get all lines for logs)
 yes | cp -r /opt/ci/ctaeos/etc /
 
@@ -95,8 +109,14 @@ echo -n '0 u:daemon g:daemon n:ctaeos+ N:6361884315374059521 c:1481241620 e:0 f:
   eos mkdir ${CTA_WF_DIR}
   eos attr set CTA_TapeFsId=${TAPE_FS_ID} ${CTA_WF_DIR}
   
+  # ${CTA_TEST_DIR} must be writable by eosusers and powerusers
+  # but as there is no sticky bit in eos, we need to remove deletion for non owner to eosusers members
+  # this is achieved through the ACLs.
+  # ACLs in EOS are evaluated when unix permissions are failing, hence the 555 unix permission.
   eos mkdir ${CTA_TEST_DIR}
-  eos chmod 777 ${CTA_TEST_DIR}
+  eos chmod 555 ${CTA_TEST_DIR}
+  eos attr set sys.acl=g:eosusers:rwx!d,g:powerusers:rwx+d /eos/ctaeos/cta
+
   eos attr set CTA_StorageClass=ctaStorageClass ${CTA_TEST_DIR}
     
   # hack before it is fixed in EOS
diff --git a/continuousintegration/orchestration/create_instance.sh b/continuousintegration/orchestration/create_instance.sh
index 63a1b6a41a808ebdeabc34d5e2e3a22e4dfbb2c3..74dfdc9759d5e004e1be27e2befd9149dfe32a11 100755
--- a/continuousintegration/orchestration/create_instance.sh
+++ b/continuousintegration/orchestration/create_instance.sh
@@ -241,15 +241,7 @@ kubectl --namespace=${instance} exec ctacli -- kinit -kt /root/admin1.keytab adm
 kubectl --namespace=${instance} exec client -- kinit -kt /root/user1.keytab user1@TEST.CTA
 
 # create users on the mgm
-kubectl --namespace=${instance} exec ctaeos -- groupadd --gid 1100 eosusers
-kubectl --namespace=${instance} exec ctaeos -- groupadd --gid 1200 powerusers
-kubectl --namespace=${instance} exec ctaeos -- groupadd --gid 1300 ctaadmins
-kubectl --namespace=${instance} exec ctaeos -- groupadd --gid 1400 eosadmins
-kubectl --namespace=${instance} exec ctaeos -- useradd --uid 11001 --gid 1100 user1
-kubectl --namespace=${instance} exec ctaeos -- useradd --uid 12001 --gid 1200 poweruser1
-kubectl --namespace=${instance} exec ctaeos -- useradd --uid 13001 --gid 1300 ctaadmin1
-kubectl --namespace=${instance} exec ctaeos -- useradd --uid 14001 --gid 1400 eosadmin1
-
+# this is done in ctaeos-mgm.sh as the mgm needs this to setup the ACLs
 
 # use krb5 and then unix fod xrootd protocol on the client pod for eos, xrdcp and cta everything should be fine!
 echo "XrdSecPROTOCOL=krb5,unix" | kubectl --namespace=${instance} exec -i client -- bash -c "cat >> /etc/xrootd/client.conf"
diff --git a/continuousintegration/orchestration/tests/client_ar.sh b/continuousintegration/orchestration/tests/client_ar.sh
index 8d174c79a6c529fa6526cd0343ed26ccd9955cda..c60e3eb9917a90079fd77f40f1fa9919c8bcf4b2 100644
--- a/continuousintegration/orchestration/tests/client_ar.sh
+++ b/continuousintegration/orchestration/tests/client_ar.sh
@@ -33,8 +33,8 @@ echo "********"
   eos root://${EOSINSTANCE} ls -l /eos/ctaeos/cta/${TEST_FILE_NAME}
   eos root://${EOSINSTANCE} info /eos/ctaeos/cta/${TEST_FILE_NAME}
 echo
-echo "Removing disk replica"
- XrdSecPROTOCOL=sss eos root://${EOSINSTANCE} file tag /eos/ctaeos/cta/${TEST_FILE_NAME} -1
+echo "Removing disk replica as poweruser1:powerusers (12001:1200)"
+ XrdSecPROTOCOL=sss eos -r 12001 1200 root://${EOSINSTANCE} file drop /eos/ctaeos/cta/${TEST_FILE_NAME} 1
 echo
 echo "Information about the testing file without disk replica"
   eos root://${EOSINSTANCE} ls -l /eos/ctaeos/cta/${TEST_FILE_NAME}