The easy ones are the portgroups on dvSwitches.
As an example
$user=Get-VIAccount-Name"domain\lucd"
$role=Get-VIRole-NameNetworkAdmin
$dvPg=Get-VDPortgroup-Name"dvPortgroup"
New-VIPermission-Principal$user-Role$role-Entity$dvPg
The regular portgroups require the use of the API.
For example
$pgName="VM Network"
$pg=Get-VirtualPortGroup-Name"VM Network"|Select-First1
$net=Get-View (Get-View$pg.VMHostId).Network|where {$_.Name-eq$pgName}
$authMgr=Get-ViewAuthorizationManager
$perm=New-ObjectVMware.Vim.Permission
$perm.Principal="domain\lucd"
$perm.RoleId=$role.Id
$perm.Propagate=$true
$perm.Group=$false
$authMgr.SetEntityPermissions($net.moref,$perm)
Since the Get-VirtualPortgroup cmdlet doesn't give you direct access to the corresponding Network object, you will have to find it via the ESXi network property.