I'd like to give some users the ability to organize their vms in vcenter but I can't seem to get the permissions I want. I have a folder structure something like this:

Datacenter

|

|- Group A

|- Group B

|--Sub group 1

|--Sub group 2

Permissions are set at the group level so group A can only see their stuff and people in group B can see anything in their two subgroups.

If I grant the ability to create/rename/move folders and the group level (with propagate to children), I seem to get what I want but with one problem: users can rename that parent folder (ie. Group A, Group B, sub group 1 and sub group 2). Renaming  those folders (or moving in the case of sub groups) will result in failures in our deployment workflows since we look for those folder names for where to place the vms. I would also like to ensure I have unique folder names but I think I might need to give up on that idea.

As a possible workaround I looked into tags (never used them before) and while it seems like it might be a possible workaround, the way it works in the HTML client to filter, get to a list of vms from a tag, etc seems inferior or just doesn't work compared to the the flash client (which is disappointing since users can fully use the HTML client as it supports the limited permissions they have)

Does anyone have any suggestions or ideas on how to accomplish what I want?

Right now I think there's only 3 options:

1) Grant the folder permissions and hope users don't mess things up (Since they don't have delete permissions, any damage can technically be undone)

2) Use tags but then people are back to using the flash client

3) Try to use vRealize Orchestrator to allow people to do option 1 but I can try to write all kinds of validation (a lot more work for me and probably not worth the effort)

Thanks