What i have noticed after few attempts is that there is no need to apply vum permissions on vc / root level. What's more, in order to have the ability to schedule for example vm tools update using vum, you have to have privilege "Configure service" which has description of : ": configure the vsphere update manager service and the scheduled task to download patches, extensions, notifications, and related data." But this does not say clearly that this privileges gives rights to remediate virtual machine at given scheduled date task. It is possible to put permission with those privileges only to some folder with vms, and it works.
---
@blog https://grzegorzkulikowski.info