Use best practices for roles and permissions to maximize the security and manageability of your vCenter Server environment.
VMware recommends the following best practices when configuring roles and permissions in your vCenter Server environment:
Where possible, grant permissions to groups rather than individual users.
Grant permissions only where needed. Using the minimum number of permissions makes it easier to understand and manage your permissions structure.
If you assign a restrictive role to a group, check that the group does not contain the Administrator user or other users with administrative privileges. Otherwise, you could unintentionally restrict administrators' privileges in parts of the inventory hierarchy where you have assigned that group the restrictive role.
Use folders to group objects. For example, if you want to grant modify permission to one set of hosts and view permission to another set of hosts to a group of users, place each set of hosts in a folder.
Use caution when granting a permission at the root vCenter Server level. Users with permissions at the root level have access to global data on vCenter Server, such as roles, custom attributes, vCenter Server settings, and licenses. Changes to licenses and roles propagate to all vCenter Server systems in a Linked Mode group, even if the user does not have permissions on all of the vCenter Server systems in the group.
In most cases, enable propagation on permissions. This ensures that when new objects are inserted in to the inventory hierarchy, they inherit permissions and are accessible to users.
Use the No Access role to mask specific areas of the hierarchy if you do not want for certain users or groups to have access.