You can control which users can access remote hosts and shared virtual machines by creating permissions. To create a permission, you pair a user or group with a role and associate that pairing with an object. The role defines the actions that a user or group can perform, the user or group indicates who can perform the actions, and the object is the target of the actions.
A role is a predefined set of privileges. Privileges define individual rights that a user requires to perform actions and read properties. A single user can have different roles for different objects.
Users can inherit permissions through group membership and through the object hierarchy. When you assign permissions to a group, all of the users in the group inherit those permissions. If you define multiple group permissions on the same object and a user belongs to two or more of those groups, the user inherits all of the privileges assigned to the groups. If you define a permission for the user on the object, that permission takes precedence over all group permissions.