I have my custom role created (just allows basic access to power on/off vm and snapshot it). In 5.5, I could assign it to a folder under VMs and Templates (or to a specific VM) and everything was great. I built a new 6.0 vCenter and having the same problem as others now.
Following your example, if I have 10 different user groups using the same role, and if I want to prevent them from seeing other folders, it seems like I have to do the following:
Create an "all" group for all my user groups (to save adding permissions to a bunch of groups)
Data Center > Read-only, no propagate, to "all" group
All Clusters > Read-only, no propagate, to "all group"
VM folders > Custom role, propagate, to user group
If I have to make an exception for 1 vm for example, it seems like I need to assign a role to the VM and user, then go back to the folder, cluster and DC and give read-only permissions to this one user? That seems crazy and makes a huge mess out of the permissions.
I also discovered that if I remove a permission, regardless of whether it's on a test VM I'm using or a random folder, I get empty inventory. Add permission back, to anything, and I see my VMs again. That can't be normal?!?