Hi! There seems to be no way to limit which portgroups are visible to a tenant? I hope I am missing something:
It seems that, regardless of what I attempt, if the ESXi instances a tenant user has permission to consume can see a portgroup, then the tenant can see it as well.