When the VBS daemon on C2 is started, it reads the contents of the configuration file on the host to determine the clusters that are allowed to communicate with C2. As VBS B consists of C2 and C3, the VBS daemon determines that C3 can communicate with C2. However, C2 is part of both VBS A and VBS B. So, it can also communicate with C1, which is part of VBS A.

Hence, the VBS daemon adds the Cluster IDs of C1, C2, and C3 to the access control file, $VBS_HOME/web/admin/.xprtlaccess.

# cat /opt/VRTSvbs/web/admin/.xprtlaccess

<ClusterId of C1>@vbs_domain@<Name of VOM CMS>.vx:user

<ClusterId of C2>@vbs_domain@<Name of VOM CMS>.vx:user

<ClusterId of C3>@vbs_domain@<Name of VOM CMS>.vx:user

No external hosts or clusters can pretend to be one of C1, C2, or C3 because they do not have the credential.