...
By default, enterprise administrators can manage networks and IPs and all users can manage private and VDC default networks, and IPs.
Standard users who have privileges to configure VMs can add public, floating and NAT IPs that are already assigned to the VDC and IPs that are available in external networks. And users can always create IPs and add IPs in private networks.
Control access to virtual network elements
To prevent users administrators from performing the following list of actions in the virtual datacenter, remove the "Manage virtual network elements" privilege from the user enterprise administrator role:
- Manage private networks and IPs
- Edit networks to set the default VDC network
- Manage public, NAT, or floating IPs
...