To understand the behavior of the vSphere Client.

Symptoms:

• Users does not reflect the correct permission/inventory immediately after changing their groups 
• It takes lot of time  for changes to sync and reflect in webclient and UI client.
• When a  user from one group is removed and added  to another group, after logoff and login again, user still shows the old permission.
• This issue is seen with vsphere.local SSO account as well as the Active directory accounts.

For example consider the following scenario
  Create 2 vsphere.local groups : testgroup1 and testgroup2
- Create a vsphere.local user : [email protected], 
- Create 2 Folders : Folder-1 and Folder-2
- Add testgroup1 to Folder-1 (Read-only permission)
- Add testgroup2 to Folder-2 (Read-only permission)
- Add localuser "test-user" to "testgroup1" first. Log in with test-user account, and you will be able to see Folder-1.
- Log off
- Add localuser "test-user" to "testgroup2" and remove it from "testgroup1". Log in with test-user account, but now you can't see Folder-2. Instead you still see Folder-1.

When a new user session is created, if there was a session for the same user, the permissions data from it is reused. This means that changes in permissions which come from membership in groups do not take effect until all sessions for the user are terminated and a new one is created.

In vSphere 7.0   we recompute the user permissions if an SSO token is used and the groups for it are different than the groups in the existing session.
To resolve this issue download  VMware vCenter Server 7.0.0 at Customer Connect Downloads page .


Workaround:
To workaround this issue logout all existing  account sessions and then login again in order the for full group membership to take effect .
NOTE: This action does not require a reboot.

Impact/Risks:
None.