Not sure I fully understand what you are asking, but I'll take a stab at this:

vCloud Director typically uses Organizations to separate tenant environments from each other in a shared environment. Users in an Organization will be able to see resources (Virtual Datacenters / VDCs, vApps, VMs, Networks etc.) within their own Organization but no others. There is no mechanism to share access to resources between users in different Organizations.

Within a single Organization you can have multiple VDCs, and you can restrict users to only be able to see/use resources from these selectively. This isn't exposed directly in the vCloud Director user interface but can be done using API calls. See Tom Fojta's Blog here for this: Organization VDC Permissions in vCloud Director – Tom Fojta's Blog

Within a VDC, users holding the 'Organization Administrator' role will see all vApps and VMs, but users with other roles can be limited to only see/access specific vApps that have been 'shared' with them using vApp rights assignment.

Generally a combination of roles, VDC permissions and vApp permissions can be used to provide any form of security model / governance required, but it depends a bit more exactly what you are trying to achieve.

As far as I have seen, nothing changes between v8.20 and v9.0 in terms of the vCloud Director security model or access controls, the major change is that Organizations in multiple vCloud Director installations (for example, in different datacenters) can be federated with each other to provide a single sign-on experience when multiple vCloud cells are in use.