- Permissions are not propagating from Distributed switch to NSX portgroups/dvpg on Switch.

- When we create a new permission, assign the role to the Distributed Switch, and check the box for Propagate to children, it doesn't propagate. The newly assigned permissions show up on the switch, but not on any of the associated port groups.

- Distributed switch security doesn't seem to propagate to the vdPort groups, even when the Propagate to Children box is checked

• VMware vCenter 7.x
• VMware vCenter 8.x
• VMware NSX-T Data Center
• VMware NSX

This occurs because the relationship between distributed switch and portgroup is not a direct parent-child relationship as can be seen from the managed object browser of the vCenter Server, that is, both are child objects of the parent 'network' folder.

From https://<vc_fqdn>/mob if we browse to 'content -> rootFolder -> childEntity (select relevant datacenter) -> networkFolder' you can see that childType is Folder, Network and DistributedVirtualSwitch so they are all child objects of the parent folder rather than each other.

Workaround:

1. Create a new network folder
2. Move the vDS inside this new network folder.
3. Add permission at network folder level with box "Propagate to children" checked

Reference:  Hierarchical Inheritance of Permissions