As far as I know, that's not possible. Roles and rights are assigned to organization and users and applied to general object types (all vApps, all VMs, all oVDCs, etc.). That means, you can only assign roles or permissions to tenants (organizations) or users, but not to oVDCs. And if you set the right to view the object type "oVDCs" in a role, all users with this role can see all oVDCs that belong to the corresponding organization. There is no mechanism for selecting "Allow view for oVDC X, Y and Z".