Hi,
To settle an internal debate we're having here, I'm reaching out to the forums....
For years now, I've been working with the understanding that permissions in vcenter are cumulative, a little like NTFS permissions. So, if you apply X permission at the root level, and Y permission one level down, then the resulting permission on that object is XY. But, the 'No Access' permission trumps all these, working similar to the 'deny' privilege in the NTFS / Windows world.
Hopefully we all agree on that (however please correct me if I'm wrong).
But, we've also been told by a reliable source that the *most restrictive* permission wins when enumerating different roles / permission sets on a the same object for the same user (and I don't mean the No Access role). So, if a user has both 'Read Only' and 'Administrator' on the same object, then the 'Read Only' permission will win. This would obviously only occur when using assigning permissions via groups, and said user is a member of both groups, because it's not actually possible to set multiple roles for a single user or group against a single object.
Has anyone else heard this?
...I was willing to accept this, until I tested it just now. I created two groups:
- Cluster-ReadOnly
- Cluster-Admin
And assigned the built in 'read only' and 'administrator' roles respectively to a single cluster object, and placed a test user in both groups.
....I ended up with administrator privileges, and not Read only.
This makes me think that permissions are either truly cumulative, or when enumerating they process in alphabetical order and stop at the first match.
I'll do some more testing here, but does anyone know, or can reference the doc with the definitive answer?
Thanks.
