I think Cirrus needs a way to control which users can manage which devices. For instance if there is a regional help desk it would be desirable to delegate management of devices by specific region to each group. For instance European help desk would only have access to devices in Europe and US team in US..etc. I think the initial permissions should be done by devices, then follow by permissions for most of the application functions.