We have vSphere 6.7. For many years a small group of us have managed it. There was no need to let anyone else build VM’s on it, as that is what we did. I now have to allow another group (active Directory) build VM’s on it. So far I have followed an article on VMWARE about “Creating and assigning a role with privileges’ to create and manage virtual machine to a domain or local user/group (1023189)” (kb.vmware.com/s/article/1023189)
Adding the role at the ‘top’ and letting it propagate down ended up giving the role access to all VM’s. Exactly what I did not want. So I stopped propagation, and granted it at the top again without propagation, and moved down adding the role to the permissions of lower objects till I got to the VM’s and then only gave it to a single folder which I want them to use. When they log on they only see their folder, and can mange the VM changing the settings as needed. But, when creating a VM, it does not see any datastores. The role has permissions(browse) on all of them.  Any ideas on what I could be missing?