The RBAC implementation is not allowing a server-group scoped role to read resources in the host=* tree unless one of these is true:

1) the host only contains a server mapped to the server group
2) the host doesn't contain any servers.

This is consistent with handling of other "mappable" things but is contrary to the docs, which declare

"In addition to these privileges, users in a server-group scoped role will have non-sensitive read privileges (equivalent to the Monitor role) for resources other than those listed above."

but don't list these host resources.

It's also unintuitive, as the s-g-s-r is actually allowed to add a server on the host, but can't read the other host resources before doing so.

Also, asking the DC for the list of host names will include the host, but trying to read its root resource will result in a NoSuchResourceException.

The issue dates back to 8.0, but recent changes to the console have resulted in this breaking console behavior.