In vCenter Server, global permissions are applied to a global root object that spans VMware solutions. In an on-premises SDDC, global permissions might span both vCenter Server and VMware Aria Automation Orchestrator. But for any vSphere SDDC, global permissions apply to global objects such as tags and content libraries.
You can assign global permissions to users or groups, and decide on the role for each user or group. The role determines the set of privileges that the user or group has for all objects in the hierarchy. You can assign a predefined role or create custom roles. See Using vCenter Server Roles to Assign Privileges.
It is important to distinguish between vCenter Server permissions and global permissions.
Permission Type | Description |
---|---|
vCenter Server | vCenter Server permissions apply to specific objects in the inventory hierarchy, such as hosts, virtual machines, datastores, and so on. When you assign vCenter Server permissions, you specify that a user or group has a role (set of privileges) on the object. |
Global | Global permissions give a user or group privileges to view or manage all objects in each of the inventory hierarchies in your deployment. Global permissions also apply to global objects such as tags and content libraries. See vCenter Server Permissions on Tag Objects. If you assign a global permission and do not select Propagate, the users or groups associated with this permission do not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles. |
Add a Global Permission
You can use global permissions to give a user or group privileges for all objects in all inventory hierarchies in your deployment.
Prerequisites
To perform this task, you must have
privileges on the root object for all inventory hierarchies.Procedure
vCenter Server Permissions on Tag Objects
In the vCenter Server object hierarchy, tag objects are not children of vCenter Server but are created at the vCenter Server top level. In environments with multiple vCenter Server instances, tag objects are shared across vCenter Server instances. Permissions for tag objects work differently than permissions for other objects in the vCenter Server object hierarchy.
Only Global Permissions or Permissions Assigned to the Tag Object Apply
If you grant permissions to a user on a vCenter Server inventory object, such as a virtual machine, that user can perform the tasks associated with the permission. However, the user cannot perform tag operations on the object.
Global Permission | Tag-Level Permission | vCenter Server Object-Level Permission | Effective Permission |
---|---|---|---|
No tagging privileges assigned. | Dana has Assign or Unassign vSphere Tag privileges for the tag. | Dana has Delete vSphere Tag privileges on ESXi host TPA. | Dana has Assign or Unassign vSphere Tag privileges for the tag. |
Dana has Assign or Unassign vSphere Tag privileges. | No privileges assigned for the tag. | Dana has Delete vSphere Tag privileges on ESXi host TPA. | Dana has Assign or Unassign vSphere Tag global privileges. That includes privileges at the tag level. |
No tagging privileges assigned. | No privileges assigned for the tag. | Dana has Assign or Unassign vSphere Tag privileges on ESXi host TPA. | Dana does not have tagging privileges on any object, including host TPA. |
Global Permissions Complement Tag Object Permissions
Global permissions, that is, permissions that are assigned on the top-level object, complement permissions on tag objects when the permissions on the tag objects are more restrictive. The vCenter Server permissions do not affect the tag objects.
For example, assume that you assign the Delete vSphere Tag privilege to user Robin at the top level by using global permissions. For the tag Production, you do not assign the Delete vSphere Tag privilege to Robin. In that case, Robin has the privilege for the tag Production because Robin has the global permission, which propagates from the top level. You cannot restrict privileges unless you modify the global permission.
Global Permission | Tag-Level Permission | Effective Permission |
---|---|---|
Robin has Delete vSphere Tag privileges | Robin does not have Delete vSphere Tag privileges for the tag. | Robin has Delete vSphere Tag privileges. |
No tagging privileges assigned | Robin does not have Delete vSphere Tag privileges assigned for the tag. | Robin does not have Delete vSphere Tag privileges |
Tag-Level Permissions Can Extend Global Permissions
You can use tag-level permissions to extend global permissions. That means users can have both a global permission and a tag-level permission on a tag.
Global Permission | Tag-Level Permission | Effective Permission |
---|---|---|
Lee has Assign or Unassign vSphere Tag privilege. | Lee has Delete vSphere Tag privilege. | Lee has the Assign vSphere Tag privilege and the Delete vSphere Tag privilege for the tag. |
No tagging privileges assigned. | Lee has Delete vSphere Tag privilege assigned for the tag. | Lee has the Delete vSphere Tag privilege for the tag. |