I found this information pertaining to vCenter 4.1...
If multiple group permissions are defined on the same object and the user belongs to two or more of those groups, two situations are possible:
- If no permission is defined for the user on that object, the user is assigned the set of privileges assigned to the groups for that object.
- If a permission is defined for the user on that object, the user's permission takes precedence over all group permissions.
I have just tested this against vCenter 5.1 and get the expected behaviour as above...
daniel is an AD account in the ESX Admins group in AD assigned to the Administrator role in vCenter. daniel is also assigned to the ESX Read-Only AD group. If I create a new folder in vCenter "folder1" and assign "ESX Read-Only" read-only permissions to this folder, the daniel account has read-only access as expected. The permissions set on the child object folder1 override inherited permissions.
Leaving the above permissions in place where daniel is a member of an Administrator (inherited) and Read-Only (child object) group on folder1 but with the more specific permissions on the child object taking precedence. If I add in permission for the user daniel as Administrator on folder1, daniel now has Administrator permissions on this folder. The user defined permissions on the object taking precedence over all the group permissions.