Creating a managed unit that does not contain the delegated read permissions. This end result is that the Managed Units will not appear in the Active Roles Web Interface or MMC console.
Limited permissions available out-of-the box; regular users wont be able to see Managed Units.
Delegate All objects - read all properties at the managed unit to which you delegated rights. This will then show the Managed units in both the Active Roles Web Interface or MMC console.