vCloud Director imposes a strict separation between vSphere operations and the day-to-day operational needs of tenants.

The vCloud Director abstraction enables a service provider to delegate vApp creation, management, and use to tenant organizations (or an IT department to delegate these capabilities to line of business teams). Tenant organization administrators and users do not operate on or manage vCenter features like vMotion, VSAN, and so on. Tenants deal only with deploying their workloads (vApps) to resource pools and storage profiles, and connecting them to organization VDC networks owned by their organization. Since organization administrators and users never log in to vCenter, there's no chance of a misconfigured vCenter permission giving the user too many rights. Moreover, the provider is free to change the composition of resource pools and storage profiles without the organization needing to change anything.

More important, this abstraction separates different organizations from each other. Even if they happen to be assigned common networks, datastores, or resource pools, they cannot modify or even see each other's vApps. (The exception is vApps connected to the same External Network, as they're sharing the same vSwitch.) Providing each tenant organization with their own dedicated datastores, networks, and resource pools, while not a requirement of the system, enables the service provider to enforce even greater separation between the organizations.

Limiting Tenant Access to System Information

Although vCloud Director is designed to hide system-level operations from tenants, certain features of the system can be configured to provide information that could be misused by a malicious tenant.
Disable sending host performance data to guests.
vSphere includes virtual machine performance counters on Windows operating systems where VMware Tools is installed. By default, vSphere does not expose host information to the guest virtual machine. Because information about the physical host could be misused by a malicious tenant, you should verify that this default behavior is in place. See Verify That Sending Host Performance Data to Guests is Disabled in vSphere Security for details.
Limit the collection of VM metrics
vCloud Director can collect metrics that provide current and historic information about virtual machine performance and resource consumption. Because some of these metrics include information about the physical host, which could be misused by a malicious tenant, you should consider configuring the metrics collection subsystem to collect only those metrics that are not subject to malicious use. See Configuring Metrics Collection in the vCloud Director Administrator's Guide for details.

Exercise Caution With Extensions

vCloud Director supports a number of extensibility methods. While these methods are all designed to prevent any extension from acquiring rights not granted to tenant users or escalating the privileges that they were assigned at installation, an extension can provide, intentionally or not, additional attack surfaces that someone who has knowledge of the extension could exploit. Service providers and tenant administrators should exercise caution when offering, reviewing, or installing extensions. In addition, careful management of allowed extensions and use of appropriate safeguards such as the X-Content-Type-Options: nosniff header can prevent plugins from loading malicious content.