This example illustrates how the role assigned directly to an individual user overrides the privileges associated with a role assigned to a group.

In this example, permissions are defined on the same object. One permission associates a group with a role, the other permission associates an individual user with a role. The user is a member of the group.

  • PowerOnVMRole can power on virtual machines.
  • PowerOnVMGroup is granted the PowerOnVMRole on VM Folder.
  • User 1 is granted the NoAccess role on VM Folder.

User 1, who belongs to PowerOnVMGroup, logs in. The NoAccess role granted to User 1 on VM Folder overrides the role assigned to the group. User 1 has no access to VM Folder or VMs A and B. VMs A and B are not visible in the hierarchy to User 1.

Figure 1. Example 3: User Permissions Overriding Group Permissions
An example of user permissions overriding group permissions.