You would need to use the concept of domains, and associate users to particular domains.
Management modules would also be in the same domains.
Key to this would be having agents reporting data into these domains, part of the domains.xml has agent mapping configuration so that agents will show up in those domains as well.
However, you have to be careful about mapping agents to custom domains as you then effectively lose historical data for them as the domain is part of the reference for viewing the data.
Documentation on domains is available here:
https://docops.ca.com/ca-apm/10-7/en/administrating/apm-security/define-and-configure-introscope-domains
That is really the only sure way of limiting access to a subset of the data