When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. You set propagation for each permission. Propagation is not universally applied. Permissions defined for a child object always override the permissions that are propagated from parent objects.
Most inventory objects inherit permissions from a single parent object in the hierarchy. For example, a datastore inherits permissions from either its parent datastore folder or parent data center. Virtual machines inherit permissions from both the parent virtual machine folder and the parent host, cluster, or resource pool simultaneously.
For example, you can set permissions for a distributed switch and its associated distributed port groups, by setting permissions on a parent object, such as a folder or data center. You must also select the option to propagate these permissions to child objects.
Permissions take several forms in the hierarchy:
- Managed entities
Privileged users can define permissions on managed entities.
- Data centers
- Datastore clusters
- Networks (except vSphere Distributed Switches)
- Distributed port groups
- Resource pools
- Virtual machines
- vSphere vApps
- Global entities
You cannot modify permissions on entities that derive permissions from the root
vCenter Server system.
- Custom fields
- Statistics intervals