Authorisation and Policies of the whole system would be the overall goal of this feature.
It has not to be the default, but if this would be configurable you can get the following scenarios, which I would really like to have for client management:

• A mapping of foreman-/puppet-operator groups to policies. Example: loe_operator can manage hosts with names that match /^loe.*\.domain/ or have the node type loe_clients ( node /^loe.*\.domain$/ inherits loe_clients ).
• Views filtered by policy. Example: If an loe_operator has no rights to view reports the tab(link) should not be shown.
• Hosts and nodes filtered by policy. Example: loe_operator does not need to view hosts that do not match /^loe.*\.domain$/ or nodes that do not have the node type loe_clients ( node /^loe.*\.domain$/ inherits loe_clients).

One thing that you can do is to separate IT support into departments. As university we have IT-supporters in all departments. IT-supporters should be able to integrate their managed hosts on their own, but a central IT-staff menber should be able to monitor installed software versions, update the software, change configurations and help IT-supporters if needed.

All the best Sandor