That worked, thanks LucD:
#INSTALL ssoadmin (if not already installed)
#Find-Module -Name VMware.vSphere.SsoAdmin | Install-Module -Scope CurrentUser
#New SSO user details
$userName = 'ROReports'
$pswd = 'New4You@2024'
$desc = 'Report only plus DS browse for Reports'
$email = 'ROReports@vsphere.local'
# SSO admin account & VCSA
$vcsa = 'vcneo.lebrine.local'
($cred = Get-Credential)
#Create the local vsphere.local SSO account
Connect-SsoAdminServer -Server $vcsa -credential $cred -SkipCertificateCheck
New-SsoPersonUser -UserName $userName -Password $pswd -Description $desc -EmailAddress $email
Disconnect-SsoAdminServer -Server $vcsa
#Connect to the vCenter and apply
connect-viserver $vcsa -credential $cred
#Create the vcenter role
New-VIRole -name RO+DSBrowse -Privilege "Browse datastore" -Server $viserver
#Modify the existing role to add/remove privileges (if required)
#Set-VIRole -Role RO_DS_Browse -AddPrivilege (Get-VIPrivilege -name "Browse datastore") -Server $viserver
#Remove-VIRole -Role "ROReports+DSBrowse" -Force -Confirm:$false
#Assign permissions to at the vcenter level and propogate
New-VIPermission -Role RO+DSBrowse -Principal VSPHERE.LOCAL\$userName -Entity (Get-Folder "Datacenters" -Type Datacenter | Where { $_.ParentId -eq $null })
Disconnect-VIServer -Server $vcsa -Force -Confirm:$false