Users assigned to the NoAccess role are still allowed to login to the vCenter and see objects in the infrastructure.

VMware vCenter Server

Users is being provided permissions based on a group membership that is assigned to another role

1. Determine what permissions and groups the user is assigned to utilize authz-doctor. The groups that the user is assigned to will be visible in the authz_doctor output.
2. Check the visible objects that the user can see to verify if any groups that the user is part of have permissions assigned to those objects.
3. If the user doesn't need to be in that group, you can remove them from the group in Active Directory.
4. Careful modifying the permissions assigned to the role as it will affect all users assigned to that group/role.