Use best practices for roles and permissions to maximize the security and manageability of your vCenter Server environment.
VMware recommends the following best practices when configuring roles and permissions in your vCenter Server environment:
Where possible, assign a role to a group rather than individual users to grant privileges to that group.
Grant permissions only on the objects where they are needed, and assign privileges only to users or groups that must have them. Using the minimum number of permissions makes it easier to understand and manage your permissions structure.
If you assign a restrictive role to a group, check that the group does not contain the Administrator user or other users with administrative privileges. Otherwise, you could unintentionally restrict administrators' privileges in parts of the inventory hierarchy where you have assigned that group the restrictive role.
Use folders to group objects. For example, if you want to grant modify permission on one set of hosts and view permission on another set of hosts, place each set of hosts in a folder.
Use caution when adding a permission to the root vCenter Server objects. Users with privileges at the root level have access to global data on vCenter Server, such as roles, custom attributes, vCenter Server settings.
In most cases, enable propagation when you assign permissions to an object. This ensures that when new objects are inserted in to the inventory hierarchy, they inherit permissions and are accessible to users.
Use the No Access role to mask specific areas of the hierarchy if you do not want for certain users or groups to have access to the objects in that part of the object hierarchy.
Changes to licenses propagate to all vCenter Server systems that are linked to the same Platform Services Controller or to Platform Services Controllers in the same vCenter Single Sign-On domain, even if the user does not have privileges on all of the vCenter Server systems.