When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. You set propagation for each permission. Propagation is not universally applied. Permissions defined for a child object always override the permissions that are propagated from parent objects.

Table 2-1. Differences Between vCenter Server Permissions and Global Permissions Permission Type Description vCenter Server vCenter Server permissions apply to specific objects in the inventory hierarchy, such as hosts, virtual machines, datastores, and so on. When you assign vCenter Server permissions, you specify that a user or group has a role (set of privileges) on the object. Global Global permissions give a user or group privileges to view or manage all objects in each of the inventory hierarchies in your deployment. Global permissions also apply to global objects such as tags and content libraries. See vCenter Server Permissions on Tag Objects. If you assign a global permission and do not select Propagate, the users or groups associated with this permission do not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles. Therefore, propagation at Global level is required. Answer B.

tested: propagation at global permission is sufficient

This was my answer, passed with 452

Why not A ? If you apply global permissions read permission on vcenter root object AND enable propagation, read permissions will propagate to ALL of the clusters. all of the inventory objects associated with the management vSphere cluster

"Users must be able to edit ALL OF THE INVENTORY OBJECTS associated with the workload vSphere clusters."

Virtual Machine Edit Inventory Privileges You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. Read page 453 in https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-esxi-vcenter-801-security-guide.pdf

B is the correct answer, tested in lab envoronment. Propagation is required, if not you will only set the permissions on the level where you configure it, not on the objects below.

Tested in lab. Answer is B Propagation is needed for both

only first line needs propagation

I also opt for option B. What is the point of setting the permission only on the cluster object without propagation? There can be many objects under a cluster (resource pools, hosts, VMs), etc. I don't want to have to set permissions on them separately. Definitely B!

Can someone explain: Why not B?

https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-esxi-vcenter-801-security-guide.pdf

Yes propagation is needed, but for global permissions only, and then it propagates to vcenter permissions. So I think is D https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-esxi-vcenter-801-security-guide.pdf

Propagation is needed

i'd say B

I think I'll go for B. Without propagation on workload clusters, you'll get custom roles only at the root level where you apply permission