Use the vSphere Client to view the privileges granted to vCenter users regardless of whether those users are defined in the default vSphere Single Sign-On domain or in an identity provider like Active Directory.

In addition to the roles and permissions described in Using vCenter Server Roles to Assign Privileges, the vCenter Server in your SDDC includes a predefined role that is not present in your on-premises vCenter:
CloudAdmin Role
The CloudAdmin role has the privileges necessary to create and manage SDDC workloads and related objects such as storage policies, content libraries, vSphere tags, and resource pools. This role cannot access or configure objects that are supported and managed by VMware, such as hosts, clusters, and management virtual machines. The CloudAdmin role can create, clone, or modify non-default roles.

The CloudAdmin user can grant other users or groups read-only access to VMware Cloud on Public Cloud vCenter management objects such as the Mgmt-ResourcePool, Management VMs folder, Discovered Virtual Machines folder, vmc-hostswitch, and vsanDatastore. Because this read-only access does not propagate to management objects, you cannot grant it as a Global Permission and instead must explicitly grant it for each management object. VMware Cloud on Public Cloud runs a script once a day that updates any newly-created management objects (such as objects in a new cluster) so that the CloudAdmin user and CloudAdminGroup SSO group have the updated role applied. The script itself does not grant additional access to any user or group, so you'll need to wait until it completes before the CloudAdmin can use this workflow to grant read-only access to those objects.