So in some lightening tests, a phrase I am stealing from lightening talks sometimes given at technical conferences, I am trialling glexec for identity switching coupled with SCAS for centralised allow/deny decisions.
Here is what was tested:
an install of SCAS
and install and test GLEXEC with SCAS on LCG-CE
and install and test GLEXEC with SCAS on CREAM 
and install and test GLEXEC on WN (SL4)
and install and test GLEXEC on WN (SL5)
Detailed Instructions and Results can be found here
The short and long of it is that it is very easy to set-up SCAS and use it on whatever service you want. So easy infact that once you SCAS server is up and running you cn direct calls to it from your CE's in a matter of minutes. glexec on the WN is just as easy, all that remains would be for someone to use it.
We currently have not rolled any of this into production but I am confident that it could be done quickly and safely. Since we are into real data taking, safely is the keyword. We want no unnecessary downtimes, which I think is achievable.
Thanks to Oscar at Nikhef for answering questions.
1: there appeared to be a certificate permission issue when calling SCAS from CREAM that prevented job submission. It looks like you need to copy the hostcert/key by hand to another cert owned by the tomcat user.
-rw-r--r-- 1 tomcat tomcat 2187 Dec 4 10:44 tomcathostcert.pem
-r-------- 1 tomcat tomcat 1863 Dec 4 10:44 tomcathostkey.pem