I want app teams to be able to create their own policies for monitoring their VMs. Is there any way to do granular permissions for each policy? So they can create new children policies, but not modify the default/parent policy, etc. Or is there a tenant system where they can login to our on-prem vROPS and do their own thing basically?
Correct, you cannot customize policies at the tenant level. This is because you cannot assign RBAC roles at the policy level.
There is a great guide on setting up multi-tenancy vROps by Yves Sandfort here: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/vcat/vmware-multitenant-vrealize-o...
I am not sure i would want app teams doing anything to policies. They could turn of one metric and mess up a lot more and you could spend stupid amount of time working out what one to enable again. On the flip side if they enable all metrics and mess with the vrops sizing. And the last thing is if they or other teams have lots of supermetrics they could enable them on the wrong object and add load the vrops. As an example creating a SM for a cluster but enabling it on the VM objects (bad designed SM) vrops will try to calculate that SM for every VM taking up processing