Setting different permissions to a group on VMs

Hi all, can you please advice me on the following permission issue? For example - we have 10 VMs. We want to be able to set some VMs so that an exact group can see them but cannot operate. And some VMs could be seen and operated by the group. What are the options to set it this way? So far we were unable to find a solution for such scenario. Thanks a lot

Does “operate” include the default buttons on the VM (like Lifecycle and Power)?

We have mostly disabled the out-of-the-box buttons in Cloudforms and replaced them with Custom Buttons with Visibility/Enablement-Expressions