vCenter Resources and View Hiding Operations

Resources are visible when the following criteria are met: 

• The user has the View_All_Children privilege on that particular resource.
• The user has the View_All_Children privilege on a child of the resource.
• The user has the View_All_Children privilege on an ancestor of the resource AND the privilege is not overridden by the trust manifest associated with the resource.

For example, using the image below, if the View_All_Children privilege is assigned to the VM folder, then the user can view everything in the VM folder, but nothing in the Host, Storage, or Network folders. If the View_All_Children privilege is assigned to Storage.Datastore, then everything at the datastore level AND the Storage folder can be viewed.

Tags can be assigned to all resources to restrict resource visibility except for individual VMs. VMs are dependent on their parent folder, so in this example, you can use tags on BlueFolder and GreenFolder to affect their respective VMs, but not the any VMs that are under the top-level VM folder.