You can use global permissions to give a user or group privileges for all objects in all inventory hierarchies in your deployment.

Important: Use global permissions with care. Verify that you really want to assign permissions to all objects in all inventory hierarchies.


To perform this task, you must have Permissions.Modify permission privileges on the root object for all inventory hierarchies.


  1. Log in to the vCenter Server by using the vSphere Client.
  2. Select Administration and click Global Permissions in the Access Control area.
  3. Select the domain from the Permissions provider drop-down menu.
  4. (Optional) If you have configured an external identity provider for federated authentication, the domain of that identity provider is available to select in the Domain drop-down menu.
  5. Click Add.
  6. Select the user or group that will have the privileges defined by the selected role.
    1. From the Domain drop-down menu, select the domain for the user or group.
    2. Enter a name in the Search box.
      The system searches user names and group names.
    3. Select the user or group.
  7. Select a role from the Role drop-down menu.
  8. Decide whether to propagate the permissions by selecting the Propagate to children check box.
    If you assign a global permission and do not select Propagate to children, the users or groups associated with this permission do not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles.
  9. Click OK.