If simply restricting by group membership, I would recommend omitting the cluster config ACLs and instead apply file permissions to the cluster config file itself (so chmod 750 and chgrp ood_users). Long term I think we want to discourage people from using that feature since it deviates from the approach we take with authorization for everything else in OnDemand - using file permissions.
That’s right, the best practice is to maintain file ACLs on the cluster.d/my_cluster.yml which are likely much faster than any ruby code (because we never read the file!).