After you create users and groups and define roles, you must assign the users and groups and their roles to the relevant inventory objects. You can assign the same propagating permissions to multiple objects simultaneously by moving the objects into a folder and setting the permissions on the folder.

When you assign permissions, the user and the group names must match Active Directory precisely, including case. If you upgraded from earlier versions of vSphere, check for case inconsistencies if you experience problems with groups.


On the object whose permissions you want to modify, you must have a role that includes the Permissions.Modify permission privilege.


  1. Browse to the object for which you want to assign permissions in the vSphere Client object navigator.
  2. Click the Permissions tab.
  3. Click Add.
  4. (Optional) If you have configured an external identity provider for federated authentication, the domain of that identity provider is available to select in the Domain drop-down menu.
  5. Select the user or group that will have the privileges defined by the selected role.
    1. From the Domain drop-down menu, select the domain for the user or group.
    2. Enter a name in the Search box.
      The system searches user names and group names.
    3. Select the user or group.
  6. Select a role from the Role drop-down menu.
  7. (Optional) To propagate the permissions, select the Propagate to children check box.
    The role is applied to the selected object and propagates to the child objects.
  8. Click OK.