Okay, finally got it all to work.
1) Create role with permissions to read and add to the content library.
2) Apply to Global with apply to chlidren option for AD user group.
3) Create role with permissions to deploy and manage virtual machines.
4) Apply No Access role with apply to children to each vCenter for AD user group.
5) Apply manage virtual machines role to specific resources (resource pool, folder, network, vsan, etc.)
Now when users are added to group in AD, they can login to vCenter and only see their resource pool, folders, networks, etc. while still being able to use the Content Library for approved ISOs and templates.