Thank You! That is a good hint. Indeed when you configure it that way, users cannot see every resource pool and vm. That is way better.
There is one problem left. When we give the privilege "Assign virtual machine to resource pool" to users on cluster level, even if propagate is un-checked and users therefor cannot move machines in each others resource pools, they are still able to move machines directly to the cluster resource pool. They would be able to bypass the resource restrictions we set on their resource pools.
Am I still missing out on something? Is there another trick that will do it?