Permissions are the associations of roles with privileges on a specified managed entity. You use permissions to specify which users can access which managed entity.

A child entity inherits the permissions of its parent if the parent’s propagate property is set to true. A permission that is set directly on a child overrides the permission in the parent. To grant permission to all child entities of a Datacenter object, assign permissions to the Datacenter object and set the Permission object’s propagate property to true.

Inventory and Permissions shows that users root and vpxuser both have permissions on the rootFolder of the inventory. The vpxuser is the account created on a host by the vCenter Server system when that host is added to the vCenter Server system. The vCenter Server system needs access to the inventory objects of the host systems that it manages, so the vpxuser account is granted privileges to the rootFolder of each host.

Important: See Authentication and Authorization for a detailed discussion of privileges, permissions, and user management.
Figure 1. Inventory and Permissions
Shows hierarchy of permissions from Service instance and content to root folder and datacenter.