"Read-only provider should see all organization, vApp, VM and Networks in this Organizations, resource organizations, but don't change anythings."
vCloud does not allow this (if I read what you want correctly). Basiclly to stay true to the multi-tenancy model VMware allows a system admin role that can do anything... and then real roles at a per org level (so a readonly admin would need an account per org with the rights they have for that org). It is a real pain and one I know has been requested of VMware to allow to be changes (to support Enterprise customers for one place - as maybe some users should have read rights in some orgs, and full in others - using the same account).
Please open a request with VMware letting them know what you need, hopfully we can get plent of people doing this and they will make the roles model a little more robust.