I was trying to figure out how to assign departments within my organization the ability to fully administer VMs within their own folder, and I hit several obstacles. Given that I couldn't find very strong documentation on either permissions or the messages I was receiving, I'll elaborate below in hopes of helping others that are struggling with a similar problem.

Here are the permissions that ended up working well for me:

Assign the following to Datacenter, Cluster, and each of the hosts independently. DO NOT PROPAGATE if your department admins should not see machines of others

Resource -> Assign Virtual Machine to Resource Pool

*** I defined this as a separate role called something like "VM Managers"

Assign the following to the folder containing the departmental VMs. SET THIS TO PROPAGATE

Global -> Log Event
Global -> Cancel Task
Folder -> Create Folder
Folder -> Delete Folder
Folder -> Move Folder
Datastore -> Browse Datastore (so they can install from ISO)
Virtual Machine -> Inventory **check all**
Virtual Machine -> Interaction **check all**
Virtual Machine -> Configuration **check all EXCEPT Raw Device and Host USB Device**
Virtual Machine -> Provisioning **check all**
Alarms **check all**
Tasks **check all**
Scheduled Task **check all**

*** I defined this as a separate role called something like "Department VM Admin"

The last role was fairly straightforward, but the first part was hanging me up repeatedly. When I would attempt to create a VM as a department I would right-click the folder and select "New Virtual Machine". Everything was ok until "Host / Cluster" at which point I would try to select our Cluster and receive the message:

"Cannot select ClusterName due to insufficient privileges."

Best regards,

Cameron J. Smith

System Administrator, Purdue University