I've a single vCenter that supports two different Clusters that have separate Admins for each. What's the best way to ensure one group can't see the other's resources in vROPS? Do I create two vROPS instances and use vCenter permissions to only grant access to the minimum set of resources for each vROPS adapter, or can I do this within vROPS safely enough?
Permissions can be fairly granular in vROps. You can restrict them to a single cluster or group of VMs. This should work well for read only or general user access. If they want any level of admin access in vROps, for example to manage the policies for their cluster or add management packs, then you'll probably need to have two vROps instances. If you're unsure and don't mind managing a second vROps instance, that might be the safer option. It gives you some flexibility down the road if they want more control in vROps (if you think that could be an eventual outcome). If not, one vROps with separate user groups for each cluster should be fine.