It is quite common for different groups of users to be responsible for deploying the MCS profiles for specific technologies, for example, DBA's SQL server/Oracle.
To perform this they will need a certain level of permissions, but at the moment this is only controlled, at the device level, by Origin. It is all or nothing. If they have MCS permissions for one group then they have permissions for all groups
It would be very useful to include ACL at the group level so that a single user will have admin permissions for certain groups and read only permissions for other groups.
That way they can see other groups data and only have control over their technology groups.