Data Center Virtualization Certification：VCP6.5-DCV Exam Guide

上QQ阅读APP看书，第一时间看更新

Determine how permissions are applied and inherited in vCenter Server

If you assign a permission to an object, it can be propagated down the objects hierarchy. The propagation is enabled by default, but you can disable propagation for each permission by checking the Propagate to children checkbox, as follows:

Figure 1.5: Disabling permissions propagation

VMware vCenter objects are hierarchical. This means that permissions (with the Propagate to children option) will be inherited (all child objects inherit from their parent objects). The following diagram, from the vSphere Security Guide, shows the entire objects hierarchy:

Figure 1.6: vCenter objects hierarchy

Also, the global permissions can be propagated, or not propagated, and the different inventories, which happens with the vCenter permissions in the objects hierarchy.

Note that propagation is not necessarily enforced. The resultant permission is always more specific in the hierarchy. A permission defined at the child object level always overrides a permission propagated from parent objects.

Note that some objects can exist in different inventories (such as VMs in Hosts and Cluster, VMs, and Templates inventories). This means that different permissions can be applied in different views.

What are the differences between global permissions and vCenter permissions applied at the vCenter object level, if you are using propagation in both cases? The vCenter object exists in all four of the inventories, so the vCenter permissions will only be propagated on specific objects of the selected inventory. With global permissions, the propagation is on all objects!

For more information, refer to the vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-03B36057-B38C-479C-BD78-341CD83A0584.html).