This may probably add some info here :
Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.
I just verified in my lab and was able to grant users permissions to the objects in that datacenter (not datacenter level but at cluster level and it's children)
admin1 with administrator privilege at DC level.
Was able to add user admin2 at cluster level.
However it fails with same error you mentioned when adding user at DC level.
Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered
Thanks for the link but I don't see any best practice that can explain this. I think it makes perfect sense for an admin at the data center level to be able to grant other users permissions to the data center itself as needed but it does not seem to be working.
Thanks for confirming granting users at objects below the data center works. I just don't understand why it does not allow adding users to the data center level.. If I have 10 clusters in the data center, it means I have to add the same user 10 times to each cluster in order to give the user "full" administrator right to all resources under the data center. It does not quite make sense to me...
Not sure if you managed to resolve the issue however just wanted to mention, as pointed out in the best practices:
Use caution when adding a permission to the root vCenter Server objects. Users with privileges at the root level have access to global data on vCenter Server, such as roles, custom attributes, vCenter Server settings.
I've noticed even after adding a USER with permission(as ADMINISTRATOR) at root object(vCenter Server) level, still one does not see this USER added or listed under "Global Permissions"(under Home>Administration>Access Control), which makes sense and i hope is the case with you too.
I see if this user is added globally, that should do the trick.
Yes, i don't however get VMware's thought process behind having to do this when one needs to deal only with a specific vCenter instance & not globally !
I had to log in with the VMware vCenter Single Sign-On account and password before it would let me create new roles.