Objects might have multiple permissions, but at most one for each user or group.

Permissions applied on a child object always override permissions applied on a parent object. Virtual machine folders and resource pools are equivalent levels in the hierarchy. If a user or group is assigned propagating permissions on both a virtual machine's folder and its resource pool, the user has the privileges propagated from the resource pool and from the folder.

If multiple group permissions are defined on the same object and the user belongs to two or more of those groups, two situations are possible:

If no permission is defined for the user on that object, the user is assigned the union of privileges assigned to the groups for that object.

If a permission is defined for the user on that object, the user's permission takes precedence over all group permissions.