Permissions on Tag Objects

In the vCenter Server object hierarchy, tag objects are not children of vCenter Server but are created at the vCenter Server root level. In environments with multiple vCenter Server instances, tag objects are shared across vCenter Server instances. Permissions for tag objects work differently than permissions for other objects in the vCenter Server object hierarchy.

Only Global Permissions or Permissions Assigned to the Tag Object Apply

If you grant permissions to a user on a vCenter Server inventory object, such as an ESXi host or a virtual machine, that user cannot perform tag operations on that object.

For example, if you grant the Assign vSphere Tag privilege to user Dana on host TPA, that permission does not affect whether Dana can assign tags on host TPA. Dana must have the Assign vSphere Tag privilege at the root level, that is, a global permission, or must have the privilege for the tag object.

Table 1. How Global Permissions and Tag Object Permissions Affect What Users Can Do
Global Permission	Tag-Level Permission	vCenter Server Object-Level Permission	Effective Permission
No tagging privileges assigned	Dana has Assign or Unassign vSphere Tag privileges for the tag.	Dana has Delete vSphere Tag privileges on ESXi host TPA	Dana has Assign or Unassign vSphere Tag privileges for the tag.
Dana has Assign or Unassign vSphere Tag privileges.	No privileges assigned for the tag.	Dana has Delete vSphere Tag privileges on ESXi host TPA	Dana has Assign or Unassign vSphere Tag global privileges. That includes privileges at the tag level.
No tagging privileges assigned	No privileges assigned for the tag.	Dana has Assign or Unassign vSphere Tag privileges on ESXi host TPA	Dana does not have tagging privileges on any object, including host TPA.

Global Permissions Complement Tag Object Permissions

Global permissions, that is, permissions that are assigned on the root object, complement permissions on tag objects when the permissions on the tag objects are more restrictive. The vCenter Server permissions do not affect the tag objects.

For example, assume that you assign the Delete vSphere Tag privilege to user Robin at the root level, that is, by using Global permissions. For the tag Production, you do not assign the Delete vSphere Tag privilege to Robin. In that case, Robin has the privilege, even for the tag Production because Robin has the Global permission. You cannot restrict privileges unless you modify the global permission.

Table 2. Global Permissions Complement Tag-Level Permissions
Global Permission	Tag-Level Permission	Effective Permission
Robin has Delete vSphere Tag privileges	Robin does not have Delete vSphere Tag privileges for the tag.	Robin has Delete vSphere Tag privileges.
No tagging privileges assigned	Robin does not have Delete vSphere Tag privileges assigned for the tag.	Robin does not have Delete vSphere Tag privileges

Tag-Level Permissions Can Extend Global Permissions

You can use tag-level permissions to extend Global permissions. That means users can have both a Global permission and a tag-level permission on a tag.

Table 3. Global Permissions Extend Tag-Level Permissions
Global Permission	Tag-Level Permission	Effective Permission
Lee has Assign or Unassign vSphere Tag privilege.	Lee has Delete vSphere Tag privilege.	Lee has the Assign vSphere Tag privilege and the Delete vSphere Tag privilege for the tag.
No tagging privileges assigned.	Lee has Delete vSphere Tag privilege assigned for the tag.	Lee has the Delete vSphere Tag privilege for the tag.