Key points about assigning and modifying permissions for vCenter Server
There are several key points to keep in mind when you are working with vCenter Server permissions. Whether a ONTAP tools for VMware vSphere task succeeds can depend on where you assigned a permission, or what actions a user took after a permission was modified.
You only need to set up vCenter Server permissions if you want to limit access to vSphere objects and tasks. Otherwise, you can log in as an administrator. This login automatically allows you to access all vSphere objects.
Where you assign a permission determines the ONTAP tools tasks that a user can perform.
Sometimes, to ensure the completion of a task, you must assign the permission at a higher level, such as the root object. This is the case when a task requires a privilege that does not apply to a specific vSphere object (for example, tracking the task) or when a required privilege applies to a non-vSphere object (for example, a storage system).
In these cases, you can set up a permission so that it is inherited by the child entities. You can also assign other permissions to the child entities. The permission assigned to a child entity always overrides the permission inherited from the parent entity. This means that you can permissions to a child entity as a way to restrict the scope of a permission that was assigned to a root object and inherited by the child entity.
|Unless your company's security policies require more restrictive permissions, it is a good practice to assign permissions to the root object (also referred to as the root folder).
Permissions and non-vSphere objects
The permission that you create are applied to a non-vSphere object. For example, a storage system is not a vSphere object. If a privilege applies to a storage system, you must assign the permission containing that privilege to the ONTAP tools root object because there is no vSphere object to which you can assign it.
For example, any permission that includes a privilege such as the ONTAP tools privilege "Add/Modify/Skip storage systems" must be assigned at the root object level.
You can modify one permission at any time.
If you change the privileges within a permission, the user associated with that permission should log out and then log back in to enable the updated permission.