User should not be able to list or act on devices that are not in groups that their role has been granted access to. Related to UX task MEN-3350, but more specifically about hiding device groups from users in the UI.
My understanding: for example, a user is assigned a role that only allows them permission for the device group "test_devices". This user will not see "All devices", pending devices, any other device group, any deployments to groups other than "test_devices".
Eystein Maloy Stenberg We should also be careful with rejected devices and device preauthorization. This could get complicated – should we hide these tabs from users without the full permissions?