VMware 4817V62 - vSphere - PC Administration Manual page 218

vSphere Basic System Administration
Global entities
Multiple Permission Settings
Objects might have multiple permissions, but at most one for each user or group.
Permissions applied on a child object always override permissions applied on a parent object. Virtual machine
folders and resource pools are equivalent levels in the hierarchy. If a user or group is assigned propagating
permissions on both a virtual machine's folder and its resource pool, the user has the privileges propagated
from the resource pool and from the folder.
If multiple group permissions are defined on the same object and the user belongs to two or more of those
groups, two situations are possible:
If no permission is defined for the user on that object, the user is assigned the union of privileges assigned
n
to the groups for that object.
If a permission is defined for the user on that object, the user's permission takes precedence over all group
n
permissions.
Example 1: Inheritance of Multiple Permissions
This example illustrates how an object can inherit multiple permissions from groups granted permission on a
parent object.
In this example, two permissions are assigned on the same object for two different groups.
Role 1 can power on virtual machines.
n
Role 2 can take snapshots of virtual machines.
n
Group A is granted Role 1 on VM Folder, with the permission set to propagate to child objects.
n
Group B is granted Role 2 on VM Folder, with the permission set to propagate to child objects.
n
User 1 is not assigned specific permission.
n
User 1, who belongs to groups A and B, logs on. User 1 can both power on and take snapshots of VM A and
VM B.
218
Hosts
n
Networks (except vNetwork Distributed Switches)
n
dvPort Groups
n
Resource pools
n
Templates
n
Virtual machines
n
vApps
n
Derive their permissions from the root vCenter Server system.
Custom fields
n
Licenses
n
Roles
n
Statistics intervals
n
Sessions
n
VMware, Inc.