confusion about the consepts like account, user, group , reseller, admin

I am new to swift , and I get quite confused about some concepts here.

I've successfully installed swift 1.4.3 on ubuntu 10.04, but I have to many questions about the administration work about swift
For auth subsystem I also tried both tempauth and swauth1.0.2

1. account and user
It seems that when you create a user, you also need to specify an account for that user

for example ,
      if I use tempauth, I have to write in the proxy-server.conf something like
      user_admin_admin = admin .admin .reseller_admin

      the format is actually :
      user_<account>_<user> = <key> [group] [group] [...] [storage_url]

similarly, if I use swauth
       swauth-add-user [options] <account> <user> <password>

I don't understand the relation beteween the account and user.
It seems to me that we can have multiple users under one account.
So, does every account have its own namespace for username ? I mean can user in different account have the same username?

What's the difference beween users in the same account and users in different account ?
Is there some access rule for that?

From the Open stack Object storage adminstrator manual
http://docs.openstack.org/diablo/openstack-object-storage/admin/content/authentication-and-access-permissions.html

I quote here

"Generally speaking, each user has their own storage account and has full access to that account. Users must authenticate with their credentials as described above, but once authenticated they can create/delete containers and objects within that account. The only way a user can access the content from another account is if they share an API access key or a session token provided by your authentication system."

I get confused, should I give each user a different account or we can let users share one account.
And if users share one account, what's their permission to those containers and objects created by others who are in
the same account with them ?

2.
 the confusion about user access permisson in one account lead to my second question
How do I implement acl rules for users

I have read the developer api document，I got nothing about acl in that
http://docs.openstack.org/api/openstack-object-storage/1.0/content/

however,
from http://docs.openstack.org/diablo/openstack-object-storage/admin/content/swift-cli-basics.html
I did find something about set acl rules with "swift post -r -w "
but it doesn't explain the format for the acl rules

the guide on http://swift.openstack.org/misc.html#acls did have something about acl strings,
so may be I should use it with the " swift post -r / -w " ?

Since the swift cli is build above swift restful api, I think there should be someway I can directly use restful api to set acl rules for both containers and objests, right?
So, I guess I must have missed some documents about this kind of api, please help me find that.

3. about reseller , admin

From both swauth and tempauth, when you create a user, you can make the user a reseller admin or accout admin.
in tempauth: user_<account>_<user> = <key> [group] [group] [...] [storage_url]
group can be .reseller_admin .admin

in swauth: swauth-add-user [options] <account> <user> <password> with -a or -r option

I got this from the proxy-server.conf-sample.
# .reseller_admin= can do anything to any account for this auth
# .admin = can do anything within the account

and in swauth, theres is this super_admin, it is the site admin, right?
so does a reseller admin have the same permission with site admin ?

4. about group

so, what exactly does group mean in swift

reseller admin and accout admin are both some kind of group in swift ?

I notice that the swauth api doc also mentioned 'group' in the section "user service - > Get User Details"
https://github.com/gholt/swauth/blob/master/doc/source/api.rst

Is there other group I can use besides reseller admin and account admin ? or I can just self define some group?
I how can I use the group and how it affect uers ?