Thank you very much for the reply.

Wouldn't this still allow a user to, for example, power off my VCSA if I gave their group permission to power on/off VMs?  I thought a simple fix would have been to remove permissions for non-admins to a folder and then place the VCSA into said folder, but the VCSA does not appear in the folder tab.

That is awesome, thank you very much for taking the time to explain that.  I'll give that a shot right now.

If I tweak permissions on the role I made is it applied in real time?  Does the user need to refresh the browser or do they need to fully log off and back on again?  I am testing permissions using a test account and want to make sure that I am properly testing.

Thanks again!

Log out and back in.

Also : MAKE SURE you have at least one account with full admin to top level and all child objects. (your administrator@vsphere.local) is a good one. Just in case you accidentally lock yourself out

Note: Permissions do not propagate automatically in VMware. You need to tell it to apply to child objects (if you desire, like a folder and its contents)

Good to know, thanks.

My team has been using vApps as an organizational device instead of folders, which I am planning on changing.  Is it normal that if I drag a nested vApp environment into a folder I am unable to expand any of the parent vApps to get to the individual VMs (even as the admin)?  If I select a parent vApp and check under the VMs tab I can see all VMs and child vApps however if I select any of them it snaps me back over to the 1st leftmost tab (whatever the one to the left of the folder tab is called...wish there was a tooltip so I could make more sense).

I do not have much experience with vApps so I can't answer that for you.

One more note on the permissions.

For example : You can grant a user read access to the top level of vCenter and have it propagate all the way down, this would allow a user to see everything but not make changes.

Say you create a VM and Template folder called Developers and grant a user the ability to interact with VMs (say a power user role)..

The user will have read from top level down with child propagation, but will have poweruser abilities to the folder you set those extra permissions. Very much unlike Windows and how least access defines the permission scope. VMware is per object. If you set a specific permission that will take precedence over one that is propagated via child access.. I hope this makes sense

It does.  I can't thank you enough for providing all this information.  I am leaps toward what I am wanting to do and am now just tweaking permissions based on what the users actually need to do their work.

Glad to help out. Feel free to ping me if you need more clarification. I went through all this last year when we hardened our deployment