> > But if DL's connect directly to BL's, then how is authentication done? I > thought the root DL handled that. Do you really mean directly, or do you mean > through the root DL? DL authenticate them self to the BL. So the 'group' and the 'user' (aargg, darn names) id + passwords lists will be located in 2 different layers. > > > > OK, but the root DL is the only DL that can grant other DL's access. > > This 'root' will practically be most of the time invisible to the user. > > So it must open up the BL for at least one other DL > > for VSH to be usable :) > > Should that then be reworded as 'nothing can connect AS the root DL'? Yep! But [ sorry:) ] some DL might get access to this root DL at 'user' level and so getting SOME access to the root 'group'.