• A user account in VMware Aria Operations 8.18.x is able to view and interact with all objects (VMs, Hosts, Clusters) despite being assigned a restrictive Custom Scope.
• Automation Central jobs (e.g., "Delete Unused Snapshots") show all virtual machines in the environment rather than only those defined in the user's assigned scope.
• The user is able to execute actions on resources they should not have permission to manage.

VMware Aria Operations 8.18.x

This issue occurs if the user account has been assigned a global role (such as ContentAdmin or Administrator) mapped to the All Objects scope.

In VMware Aria Operations, permissions are additive. If a user is granted "All Objects" access at any role level or through group membership, those global permissions supersede more restrictive assignments. The custom scope remains active, but its restrictive properties are negated by the higher-level global assignment.

To enforce the intended object restrictions (Scoped Operator behavior), reconfigure the user's Access Control settings to remove any "All Objects" global assignments:

1. Log in to VMware Aria Operations with administrative privileges.
2. Navigate to Administration > Control Panel > Access Control.
3. Click on the User Accounts tab and select the affected user.
4. Click the vertical ellipsis (three dots) and select Edit.
5. Under the Assign Roles and Scopes section, identify and Remove any role (e.g., ContentAdmin) that is mapped to the All Objects scope.
6. Click the plus (+) icon to add a new assignment.
7. Select an appropriate role (e.g., PowerUser or a custom operator role).
8. In the Scope dropdown, select the specific Custom Scope intended for this user.
9. Click Save.
10. Ensure the user is not a member of any User Groups (under the Groups tab) that are also providing an inherited All Objects scope.

Verification

1. Have the affected user log out and log back in to VMware Aria Operations.
2. Navigate to Environment > Inventory or Operations > Automation Central.
3. Verify that the user only sees the specific objects defined within their assigned Custom Scope.