When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. You set propagation for each permission. Propagation is not universally applied. Permissions defined for a child object always override the permissions that are propagated from parent objects.

The figure illustrates inventory hierarchy and the paths by which permissions can propagate.

Figure 1. vSphere Inventory Hierarchy
The inheritance of permissions in the vSphere inventory hierarchy is represented. Arrows indicate the inheritance of permissions from parent objects to child objects.

Most inventory objects inherit permissions from a single parent object in the hierarchy. For example, a datastore inherits permissions from either its parent datastore folder or parent datacenter. Virtual machines inherit permissions from both the parent virtual machine folder and the parent host, cluster, or resource pool simultaneously. To restrict a user’s privileges on a virtual machine, you must set permissions on both the parent folder and the parent host, cluster, or resource pool for that virtual machine.

To set permissions for a distributed switch and its associated distributed port groups, set permissions on a parent object, such a folder or datacenter. You must also select the option to propagate these permissions to child objects.

Permissions take several forms in the hierarchy:

Managed entities
You can define permissions on managed entities.
  • Clusters
  • Datacenters
  • Datastores
  • Datastore clusters
  • Folders
  • Hosts
  • Networks (except vSphere Distributed Switches)
  • Distributed port groups
  • Resource pools
  • Templates
  • Virtual machines
  • vSphere vApps
Global entities
Global entities derive permissions from the root vCenter Server system.
  • Custom fields
  • Licenses
  • Roles
  • Statistics intervals
  • Sessions