When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. Propagation is set per permission, not universally applied. Permissions defined for a child object always override those propagated from parent objects.

vSphere Inventory Hierarchy illustrates the vSphere inventory hierarchy, and the paths by which permissions can propagate.

vSphere Inventory Hierarchy
inheritance of permissions down the object hierarchy

Most inventory objects inherit permissions from a single parent object in the hierarchy. For example, a datastore inherits permissions from either its parent datastore folder or parent datacenter. However, virtual machines inherit permissions from both the parent virtual machine folder and the parent host, cluster, or resource pool simultaneously. This means that to restrict a user’s privileges on a virtual machine, you must set permissions on both the parent folder and the parent host, cluster or resource pool for that virtual machine.

You cannot set permissions directly on a vNetwork Distributed Switches. To set permissions for a vNetwork Distributed Switch and its associated dvPort Groups, set permissions on a parent object, such a folder or datacenter, and select the option to propagate these permissions to child objects.

Permissions take several forms in the hierarchy:

Managed entities

Can have permissions defined on them.

Clusters

Datacenters

Datastores

Folders

Hosts

Networks (except vNetwork Distributed Switches)

dvPort Groups

Resource pools

Templates

Virtual machines

vApps

Global entities

Derive their permissions from the root vCenter Server system.

Custom fields

Licenses

Roles

Statistics intervals

Sessions