Currently we have assigned user groups from vCenter layer (top most) and propagated down to child objects. I wanna control a particular group ( lets say, Group-A) to deny access to a cluster.
What if I assign Group-A to have "No Access" role and apply it on the cluster level that i wanna control, Will "No Access" take affect or previously applied role from vCenter layer?
What is the best way to achieve this? The requirement is to deny access to a cluster and the rest stays the same.
Its always recommended to assign permission to object level . So that restricts / provide access in a specific way.
Below doc helps you understand about Child permission overriding Parent permission :
Please mark this as "correct" or " Helpfull" if this answers your query