Multi-tenancy and administrator permissions

You can grant module specific access without making a user a full admin. You can also apply account limitations, but if you make the Account an Admin in the main account screen it will give that account the access to simply remove those limitations themselves.

if they don’t need full access you can apply an account limitation, give permission to Manage Nodes and maybe manage views, then make them SAM Admin so they can edit there own application monitors.

Adding on to the above, you will need to do a lot of testing around setting up multi tenancy in this way to make sure you do a good job of it, the Orion suite isn't really dialed in for it at this point in time and depending which modules you have there will be a lot of data bleeding through beyond the account limitations.

Essentially, any type of orion object that isn't a node, or a child of a node will not be filtered by the normal types of account limitations.  So typically this means everything relating to SRM, WPM, IPAM, and VMAN datastores would be out in the open across all tenants.  There are some ways you might be able to mitigate the exposure by restricting access to some types of views or modules, and if you use groups to define the limitation instead of a node property you get a lot more control of what will or won't show up, but ultimately it's a lot of duct tape holding things in place and if you are really concerned about data leakage it can get rough.  It would also be worth pointing out that the API could also be ripe for abuse as well due to the way limitations currently work.  I've bled out tons of data before simply by not connecting anything I wanted to the nodes table, which is where the limits normally are in effect.