While the majority of requirements can be fulfilled, there are some limitations when using RBAC and dynamic groups to build a multitenant like environment:

Alerts and symptoms within vRealize Operations Manager are based on policies. Each object can only hold one policy. For example, while the service provider might be interested to see if a VM is overprovisioned, this information will be visible to the tenant as well. Whatever the alert or symptom raises will always be visible for everyone with access to the object.

You can link a customer-based policy to a dynamic group object specific to the customer, but you cannot allow customization of this policy by a tenant/customer, because it is not possible to operate permissions on a per-policy basis.

All account management and permission control must be performed by the service provider. While a tenant can have different users with different permissions, it is not possible to allow the tenant control/customization.

vRealize Operations Manager provides for remediation actions, which operate under a central account and might be a security risk. Therefore, VMware does not recommend allowing any tenant/customer access to remediation actions.