This example illustrates how permissions assigned on a child object override permissions assigned on a parent object. You can use this overriding behavior to restrict user access to particular areas of the inventory.

In this example, permissions are to two different groups on two different objects.

Role 1 can power on virtual machines.

Role 2 can take snapshots of virtual machines.

Group A is granted Role 1 on VM Folder, with the permission set to propagate to child objects.

Group B is granted Role 2 on VM B.

User 1, who belongs to groups A and B, logs on. Because Role 2 has been assigned at a lower point in the hierarchy than Role 1, it overrides Role 1 on VM B. User 1 can power on VM A, but not take snapshots. User 1 can take snapshots of VM B, but not power it on.

Example 2: Child Permissions Overriding Parent Permissions
An example of child permissions overriding parent permissions.