If you wish to create a custom vSphere Role that has the ability to view vSphere Namespaces which is part of vSphere with Tanzu, you will need to add the user to the following vSphere Single Sign-On Group: ServiceProviderUsers, which is located under Single Sign On->Users and Groups->Groups (2nd page) within the vSphere UI.
Once added, you can logout and log back in and the user should now see the vSphere Namespaces as shown in the screenshot below. In my example, I have a user named william which is created in the default vsphere.local domain and has been assigned the user the vSphere Read Only role along with this additional SSO group. They will be able to view all resources but will not have permission to make any changes to the infrastructure. If you are using Active Directory, the exact same process works and just make sure you log out and log back in for the changes to take effect.
Is this limited to vsphere.local accounts only? This works for me with a local account but if I use an account from an AD/ldap domain, I don't see the UI tree from the Namespace resource downward. I can, however, browse these objects via the Namespace tab on the tanzu enabled cluster.
Same issue here, with AD account it is not enough it seems.
It looks like this has been asked in a few places and the answer is no, this is NOT limited to just vSphere SSO Domain. This also works for Active Directory and I had just confirmed this after setting up IWA for my VCSA and followed the exact same instructions as noted above. Make sure you log out and log back in
Thanks William!:) At my side it is working now with an AD user. It looks like it took a while, however I did logout-login already few times.