So are you saying this process: Add Members to a vCenter Single Sign-On Group is only supported by using the vSphere Web client? (SSO Admin UI plugin) and that there are NO features in vRO to complete that exact task?
If that is the case, would you recommend an external group (AD or OpenLDAP) be created outside of vCenter SSO Users/Groups?? Then with that external group, you would apply vRO access rights to the entire group and just handle the user administration/membership for the group on the directory service itself (AD or OpenLDAP) instead of handling membership via vCenter SSO Users/Groups?