When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. You set propagation for each permission. Propagation is not universally applied. Permissions defined for a child object always override the permissions that are propagated from parent objects.

The following figure illustrates the inventory hierarchy and the paths by which permissions can propagate.
Note: Global permissions support assigning privileges across solutions from a global root object. See Global Permissions.
Figure 1. vSphere Inventory Hierarchy
This figure shows the inheritance of permissions in the vSphere inventory hierarchy, from parent objects to child objects.

About this figure:

  • You cannot set direct permissions on the VM, host, network, and storage folders. That is, these folders act as containers, and as such are not visible to users.
  • You cannot set permissions on standard switches.
Note: To be able to set and propagate permissions to children on a vSphere Distributed Switch (VDS), the switch object must reside in a network folder created on the data center.

Most inventory objects inherit permissions from a single parent object in the hierarchy. For example, a datastore inherits permissions from either its parent datastore folder or parent data center. Virtual machines inherit permissions from both the parent virtual machine folder and the parent host, cluster, or resource pool simultaneously.

For example, you can set permissions for a distributed switch and its associated distributed port groups, by setting permissions on a parent object, such as a folder or data center. You must also select the option to propagate these permissions to child objects.

Permissions take several forms in the hierarchy:

Managed entities
Managed entities refer to the following vSphere objects. Managed entities offer specific operations that vary depending on the entity type. Privileged users can define permissions on managed entities. See the vSphere API documentation for more information about vSphere objects, properties, and methods.
  • Clusters
  • Data centers
  • Datastores
  • Datastore clusters
  • Folders
  • Hosts
  • Networks (except vSphere Distributed Switches)
  • Distributed port groups
  • Resource pools
  • Templates
  • Virtual machines
  • vSphere vApps
Global entities
You cannot modify permissions on entities that derive permissions from the root vCenter Server system.
  • Custom fields
  • Licenses
  • Roles
  • Statistics intervals
  • Sessions