Objects might have multiple permissions, but only one permission for each user or group. For example, one permission might specify that Group A has Administrator privileges on an object. Another permission might specify that Group B might have Virtual Machine Administrator privileges on the same object.

If an object inherits permissions from two parent objects, the permissions on one object are added to the permissions on the other object. For example, assume that a virtual machine is in a virtual machine folder and also belongs to a resource pool. That virtual machine inherits all permission settings from both the virtual machine folder and the resource pool.

Permissions applied on a child object always override permissions that are applied on a parent object. See Example 2: Child Permissions Overriding Parent Permissions.

If multiple group permissions are defined on the same object and a user belongs to two or more of those groups, two situations are possible:

• No permission for the user is defined directly on the object. In that case, the user has the privileges that the groups have on that object.
• A permission for the user is defined directly on the object. In that case, the user's permission takes precedence over all group permissions.