2V0-622 · Question #417
Group A has permission to download files in Content Library. Group B does not have permission to download files in Content Library. If a user is a member of both groups, what will be the result?
The correct answer is B. The user can download file from Content Library.. vSphere applies permissions additively across group memberships, so a user inherits the union of all group privileges. Because Group A grants the download right in Content Library, that permission applies to the user regardless of Group B lacking it.
Question
Group A has permission to download files in Content Library. Group B does not have permission to download files in Content Library. If a user is a member of both groups, what will be the result?
Options
- AThe user cannot download file from Content Library.
- BThe user can download file from Content Library.
- CThe user cannot access Content Library.
- DThe user can access Content Library.
How the community answered
(48 responses)- A13% (6)
- B77% (37)
- C4% (2)
- D6% (3)
Why each option
vSphere applies permissions additively across group memberships, so a user inherits the union of all group privileges. Because Group A grants the download right in Content Library, that permission applies to the user regardless of Group B lacking it.
vSphere does not use a least-permissive or deny-wins model by default, so Group B lacking the download permission does not negate the download right granted to the user via Group A.
vSphere evaluates a user's effective permissions as the cumulative union of all roles assigned through every group they belong to. Since Group A explicitly grants the Content Library download privilege, that right is active for the user even though Group B does not have it. vSphere does not apply a deny-override model by default, so the broader permission wins.
There is no indication either group is denied access to Content Library itself - only the download sub-privilege differs, so restricting all access is not the correct outcome.
While correct that the user can access Content Library, this answer is incomplete because it ignores the download permission conflict that is the actual focus of the question.
Concept tested: Additive vSphere permissions across multiple group memberships
Source: https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-5372F580-5C23-4E9C-8A4E-EF1B4DD9033E.html
Topics
Community Discussion
No community discussion yet for this question.