Objects might have multiple permissions, but only one permission for each user or group. For example, one permission might specify that Group A has Administrator privileges on an object. Another permission might specify that Group B might have Virtual Machine Administrator privileges on the same object.

If an object inherits permissions from two parent objects, the permissions on one object are added to the permissions on the other object. For example, if a virtual machine is in a virtual machine folder and also belongs to a resource pool, that virtual machine inherits all permission settings from both the virtual machine folder and the resource pool.

Permissions applied on a child object always override permissions that are applied on a parent object. See Example 2: Child Permissions Overriding Parent Permissions.

If multiple group permissions are defined on the same object and a user belongs to two or more of those groups, two situations are possible:

  • If no permission is defined for the user on that object, the user is assigned the set of privileges assigned to the groups for that object.
  • If a permission is defined for the user on that object, the user's permission takes precedence over all group permissions.