Global permissions are applied to a global root object that spans solutions. In an on-premises SDDC, global permissions might span both vCenter Server and vRealize Orchestrator. But for any vSphere SDDC, global permissions apply to global objects such as tags and content libraries.

You can assign global permissions to users or groups, and decide on the role for each user or group. The role determines the set of privileges that the user or group has for all objects in the hierarchy. You can assign a predefined role or create custom roles. See Using Roles to Assign Privileges.

It is important to distinguish between vCenter Server permissions and global permissions.
vCenter Server permissions
You usually apply a permission to a vCenter Server inventory object such as a virtual machine. When you do, you specify that a user or group has a role (set of privileges) on the object.
Global permissions
Global permissions give a user or group privileges to view or manage all objects in each of the inventory hierarchies in your deployment. Global permissions also apply to global objects such as tags and content libraries. See Permissions on Tag Objects.
If you assign a global permission and do not select Propagate, the users or groups associated with this permission do not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles.
Important: Use global permissions with care. Verify that you really want to assign permissions to all objects in all inventory hierarchies.