Higher-level objects (like: vCenter, Cluster and Datacenter) need specific permissions, but not propagating.
Lower-level objects (like: Resource Pool, VM Folder) need those same permissions, but allow to propagate.
Networks and Datastores need customized permissions because any permission which propagates from the vCenter or Datacenter will apply to everything equally.
Here is a write-up: Cloud permissions for VMware vSphere (Roles, Privileges and Permissions) | JohnBorhek.com