Currently you cannot “hide” PMUs from a user who can login, the rights control who can “modify” a record.
The roles are “Viewer” (read-only access), “Editor” (edit access), “Admin” (edit access + can control security).
To create ACLs for each PMU you would need define a “Role” for each device in the system, then associate users with these device “Roles”, and finally you would need to modify the device screen to check for role access.
Not too complicated, but it is a code change to check roles on screens with device access and a schema update to synchronize device names to the roles table.
Grafana rights restriction would need to filter metadata based on these roles.