Before implementing restricted global entitlements, you must be aware of certain considerations and limitations.
A single Connection Server instance or global entitlement can have multiple tags.
Multiple Connection Server instances and global entitlements can have the same tag.
Any Connection Server instance can access a global entitlement that does not have any tags.
Connection Server instances that do not have any tags can access only global entitlements that also do not have any tags.
If you use a security server, you must configure restricted entitlements on the Connection Server instance with which the security server is paired. You cannot configure restricted entitlements on a security server.
Restricted global entitlements take precedence over other entitlements or assignments. For example, even if a user is assigned to a particular machine, the user cannot access that machine if the tag assigned to the global entitlement does not match the tag assigned to the Connection Server instance to which the user is connected.
If you intend to provide access to your global entitlements through VMware Identity Manager and you configure Connection Server restrictions, the VMware Identity Manager app might display global entitlements to users when the global entitlements are actually restricted. When a VMware Identity Manager user attempts to connect to a global entitlement, the desktop or application does not start if the tag assigned to the global entitlement does not match the tag assigned to the Connection Server instance to which the user is connected.