I am hoping for some guidance on role permissions. We use Terraform for automated VM provisioning on a VMWare 7 cluster. The cluster is comprised of 7 hosts, and a few dozen VMs. 

I would like to setup a new role that has appropriate permissions to create and delete new VM's under any of the 7 hosts, but at the same time I would like to restrict access to some of the existing VM's (such as my vCenter Appliance, a few domain controller VMs etc etc).

It wasn't clear how to achieve this - any guidance would be appreciated.