Hi, Jack.  I believe the client is still using the encrypted cached password
even when you specify the -password option.  That or maybe it's defaulting
to the TSM Authorized User/sticky bit behavior described in the manual.  In
either case, the truth is that any user that knows the node's password, even
if he's on the local machine, has access to all the files.  If you back up
files on apollo, and then restore on apollo from node apollo using
-virtualnodename=apollo, it forces password recognition and Bob can restore
Alice's files on the local server.  I tested this as follows using the
Alice's files on the local server.  I tested this as follows using the
3.1.0.8 client and the 4.1.3.0 client.

jester:alex /home/alex$ ls -l /etc/inittab
-rw-------   1 root     system      3576 Aug 10 12:59 /etc/inittab
jester:alex /home/alex$ dsmc res -virtualnodename=jester -password=[pw] -pi
jester:alex /home/alex$ dsmc res -virtualnodename=jester -password=[pw] -pi
/etc/inittab /home/alex/inittab

was able to see and restore /etc/inittab, but I didn't copy and paste the
pick list and restore.

jester:alex /home/alex$ dsmc res -password=[pw] -pi /etc/inittab

was not able to see /etc/inittab.  With neither client did I get the
ANS1107E Invalid option/value: '-virtualnode=MachineA'.

I hope this helps.

Alex