Yeah, well that's dandy of support to /say/ that but I don't believe it for a moment. I just upgraded to 2.5U1 (84767) and am still sorting through problems that have developed in my previous permission settings in 2.0.1. I have 3 datacenters, 6 clusters spread amongst them, and pretty serious folder structure in the VM view. I grant selective read-only, user, VM admin, and cloning permissions based on groups to different parts of the folder structure and clusters.
The big headache came when I found that folks with user perms were getting spurious "permission denied" messages even though their actual operations were completing fine. Through observation, we figured out that the error was related to the ESX host name not showing up in the "Host" column or in the title bar of console windows. So I granted DC browser privileges to the ESX hosts and viola! But I'm sure there must be a better way.
I just wish there was some actual freakin' documentation of how they've adjusted the permissions model. The documentation in the admin guide is a real joke because it fails to illuminate the task permission requirements on different parts of the object model. Even the information I got for VC 1.x and 2.0.x came from the community... so has someone actually sorted this out yet? I'm muddling through for the moment, but it's especially frustrating.