When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. Propagation is set per permission, not universally applied. Permissions defined for a child object always override those propagated from parent objects.

vSphere Inventory Hierarchy illustrates the vSphere inventory hierarchy, and the paths by which permissions can propagate.

vSphere Inventory Hierarchy
inheritance of permissions down the object hierarchy

Most inventory objects inherit permissions from a single parent object in the hierarchy. For example, a datastore inherits permissions from either its parent datastore folder or parent datacenter. However, virtual machines inherit permissions from both the parent virtual machine folder and the parent host, cluster, or resource pool simultaneously. This means that to restrict a user’s privileges on a virtual machine, you must set permissions on both the parent folder and the parent host, cluster or resource pool for that virtual machine.

You cannot set permissions directly on a vNetwork Distributed Switches. To set permissions for a vNetwork Distributed Switch and its associated dvPort Groups, set permissions on a parent object, such a folder or datacenter, and select the option to propagate these permissions to child objects.

Permissions take several forms in the hierarchy:

Managed entities

Can have permissions defined on them.






Networks (except vNetwork Distributed Switches)

dvPort Groups

Resource pools


Virtual machines


Global entities

Derive their permissions from the root vCenter Server system.

Custom fields



Statistics intervals