The dgAuthz/dgPolicy stuff that Ando proposed doesn't preclude what you want to do. I just am not convinced yet that dgAuthz is necessary. The code I just committed for dynlist.c leaves that out for now, we can add it later if the consensus is that it's useful.So, that behavior of letting the dynlist or dyngroup overlay do a query that the user querying the group tree is not themselves permitted to make is exactly what we need, since we can then use the more granular access control possible on the separate group dns to implement control over entitlement visibility that's otherwise annoying to represent.