When I assign the required VM-creation permissions to a group and set that at the top 'Hosts & Clusters' level, I can create VMs anywhere within the VC heirarchy.
However, when I set the exact same permissions to a different group of users but at the individual Cluster level, I'm unable to create VMs because I don't have rights to see the datastores (even though one of the permissions I set is to be able to browse the datastore).
I'm confused - is the top level permission granting extra rights that the cluster-level permission doesn't?
Ok, think I can answer my own question.
It looks as though applying permissions at the 'Hosts & Clusters' level assumes 'read-only' rights on the entire infrastructure.
This is what I was lacking when I applied the same permissions to the lower Cluster level.
Oh well, at least I know.