When I assign the required VM-creation permissions to a group and set that at the top 'Hosts & Clusters' level, I can create VMs anywhere within the VC heirarchy.
However, when I set the exact same permissions to a different group of users but at the individual Cluster level, I'm unable to create VMs because I don't have rights to see the datastores (even though one of the permissions I set is to be able to browse the datastore).
I'm confused - is the top level permission granting extra rights that the cluster-level permission doesn't?
Thanks