In vCenter Server, global permissions are applied to a global root object that spans VMware solutions. In an on-premises SDDC, global permissions might span both vCenter Server and VMware Aria Automation Orchestrator. But for any vSphere SDDC, global permissions apply to global objects such as tags and content libraries.

You can assign global permissions to users or groups, and decide on the role for each user or group. The role determines the set of privileges that the user or group has for all objects in the hierarchy. You can assign a predefined role or create custom roles. See Using vCenter Server Roles to Assign Privileges.

It is important to distinguish between vCenter Server permissions and global permissions.

Table 1. Differences Between vCenter Server Permissions and Global Permissions
Permission Type Description
vCenter Server vCenter Server permissions apply to specific objects in the inventory hierarchy, such as hosts, virtual machines, datastores, and so on. When you assign vCenter Server permissions, you specify that a user or group has a role (set of privileges) on the object.
Global Global permissions give a user or group privileges to view or manage all objects in each of the inventory hierarchies in your deployment. Global permissions also apply to global objects such as tags and content libraries. See vCenter Server Permissions on Tag Objects.

If you assign a global permission and do not select Propagate, the users or groups associated with this permission do not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles.

Add a Global Permission

You can use global permissions to give a user or group privileges for all objects in all inventory hierarchies in your deployment.

Important: Use global permissions with care. Verify that you really want to assign permissions to all objects in all inventory hierarchies.

Prerequisites

To perform this task, you must have Permissions.Modify permission privileges on the root object for all inventory hierarchies.

Procedure

  1. Log in to the vCenter Server by using the vSphere Client.
  2. Select Administration and click Global Permissions in the Access Control area.
  3. Click Add.
  4. (Optional) If you have configured an external identity provider for federated authentication, the domain of that identity provider is available to select in the Domain drop-down menu.
  5. For vSphere+ environments if you select VMware ID from the Domain drop-down menu, then enter the name of the CSP account in the Username field.
    Note:

    Enter the email address of the CSP account in the Username field. CSP accounts cannot be searched for in the VMwareID domain.

  6. Select the user or group that will have the privileges defined by the selected role.
    1. From the Domain drop-down menu, select the domain for the user or group.
    2. Enter a name in the Search box.
      The system searches user names and group names.
    3. Select the user or group.
  7. Select a role from the Role drop-down menu.
  8. Decide whether to propagate the permissions by selecting the Propagate to children check box.
    If you assign a global permission and do not select Propagate to children, the users or groups associated with this permission do not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles.
  9. Click OK.

vCenter Server Permissions on Tag Objects

In the vCenter Server object hierarchy, tag objects are not children of vCenter Server but are created at the vCenter Server top level. In environments with multiple vCenter Server instances, tag objects are shared across vCenter Server instances. Permissions for tag objects work differently than permissions for other objects in the vCenter Server object hierarchy.

Only Global Permissions or Permissions Assigned to the Tag Object Apply

If you grant permissions to a user on a vCenter Server inventory object, such as a virtual machine, that user can perform the tasks associated with the permission. However, the user cannot perform tag operations on the object.

For example, if you grant the Assign vSphere Tag privilege to user Dana on host TPA, that permission does not affect whether Dana can assign tags on host TPA. Dana must have the Assign vSphere Tag privilege at the top level, that is, a global permission, or must have the privilege for the tag object.
Table 2. How Global Permissions and Tag Object Permissions Affect What Users Can Do
Global Permission Tag-Level Permission vCenter Server Object-Level Permission Effective Permission
No tagging privileges assigned. Dana has Assign or Unassign vSphere Tag privileges for the tag. Dana has Delete vSphere Tag privileges on ESXi host TPA. Dana has Assign or Unassign vSphere Tag privileges for the tag.
Dana has Assign or Unassign vSphere Tag privileges. No privileges assigned for the tag. Dana has Delete vSphere Tag privileges on ESXi host TPA. Dana has Assign or Unassign vSphere Tag global privileges. That includes privileges at the tag level.
No tagging privileges assigned. No privileges assigned for the tag. Dana has Assign or Unassign vSphere Tag privileges on ESXi host TPA. Dana does not have tagging privileges on any object, including host TPA.

Global Permissions Complement Tag Object Permissions

Global permissions, that is, permissions that are assigned on the top-level object, complement permissions on tag objects when the permissions on the tag objects are more restrictive. The vCenter Server permissions do not affect the tag objects.

For example, assume that you assign the Delete vSphere Tag privilege to user Robin at the top level by using global permissions. For the tag Production, you do not assign the Delete vSphere Tag privilege to Robin. In that case, Robin has the privilege for the tag Production because Robin has the global permission, which propagates from the top level. You cannot restrict privileges unless you modify the global permission.

Table 3. Global Permissions Complement Tag-Level Permissions
Global Permission Tag-Level Permission Effective Permission
Robin has Delete vSphere Tag privileges Robin does not have Delete vSphere Tag privileges for the tag. Robin has Delete vSphere Tag privileges.
No tagging privileges assigned Robin does not have Delete vSphere Tag privileges assigned for the tag. Robin does not have Delete vSphere Tag privileges

Tag-Level Permissions Can Extend Global Permissions

You can use tag-level permissions to extend global permissions. That means users can have both a global permission and a tag-level permission on a tag.

Note: This behavior is different from how vCenter Server privileges are inherited. In vCenter Server, permissions defined for a child object always override the permissions that are propagated from parent objects.
Table 4. Global Permissions Extend Tag-Level Permissions
Global Permission Tag-Level Permission Effective Permission
Lee has Assign or Unassign vSphere Tag privilege. Lee has Delete vSphere Tag privilege. Lee has the Assign vSphere Tag privilege and the Delete vSphere Tag privilege for the tag.
No tagging privileges assigned. Lee has Delete vSphere Tag privilege assigned for the tag. Lee has the Delete vSphere Tag privilege for the tag.