We would like to assign permissions for group (useres ar in vsphere.local domain) to allow members of this group to create, import (from ovf or from content library) and modify VMs only in specified:
- cluster or resource pool (hosts and cluster view),
- folder (VMs and templates view),
- datastore (Datastore View),
and assign only specified networks to VM's created by those users.
Those users must not see vms, hosts, clusters, datastores, networks, etc. other than they are allowed to.
They must not see VMs created by users uside this group and they must not see resources other than they are allowed to use.
Assiging permissions should be done not at the SSO level, but on vCenter or lower levels.
How can we achieve that?