VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x

VMware vCenter Server Appliance 7.0.x

VMware vCenter Server Appliance 8.0.x

This article talks about how permission implementation works when there are different roles applied to different objects in vCenter inventory.

• 6.0 - https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-03B36057-B38C-479C-BD78-341CD83A0584.html
• 6.5 - https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-03B36057-B38C-479C-BD78-341CD83A0584.html
• 6.7 - https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-03B36057-B38C-479C-BD78-341CD83A0584.html
• 7.0-  https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-03B36057-B38C-479C-BD78-341CD83A0584.html
• 8.0-  https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-74F53189-EF41-4AC1-A78E-D25621855800.html

If there is a need to manage different objects with a different set of roles, the hierarchy needs to be understood.

For example: 

If a user is a part of 2 roles and is given the administrative role on the vCenter object and limited access at a cluster level, the child objects in a cluster will be a union of both the roles assigned to the user. 

We can Manage the same user and attain apt permissions if applied to Datacenter. 

In this example, Datacenter is the parent and vCenter is the grandparent. 

Objects within Cluster like resource pool and Virtual Machines also inherit permissions from alternate parents such as host folder and VM folder. 

Note: 
If a role is applied to a Virtual Machine which is the ultimate object in the inventory, it will take effect regardless of other roles applied but the role should be added to vCenter permissions.