When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. You set propagation for each permission. Propagation is not universally applied. Permissions defined for a child object always override the permissions that are propagated from parent objects.
About this figure:
- You cannot set direct permissions on the VM, host, network, and storage folders. That is, these folders act as containers, and as such are not visible to users.
- You cannot set permissions on standard switches.
Most inventory objects inherit permissions from a single parent object in the hierarchy. For example, a datastore inherits permissions from either its parent datastore folder or parent data center. Virtual machines inherit permissions from both the parent virtual machine folder and the parent host, cluster, or resource pool simultaneously.
For example, you can set permissions for a distributed switch and its associated distributed port groups, by setting permissions on a parent object, such as a folder or data center. You must also select the option to propagate these permissions to child objects.
Permissions take several forms in the hierarchy:
- Managed entities
Managed entities refer to the following vSphere objects. Managed entities offer specific operations that vary depending on the entity type. Privileged users can define permissions on managed entities. See the vSphere API documentation for more information about vSphere objects, properties, and methods.
- Data centers
- Datastore clusters
- Networks (except vSphere Distributed Switches)
- Distributed port groups
- Resource pools
- Virtual machines
- vSphere vApps
- Global entities
You cannot modify permissions on entities that derive permissions from the root
vCenter Server system.
- Custom fields
- Statistics intervals