Depending on the Role a User has assigned (admin/user/guest) he gets more or less the same permissions on all Services and Host he can access in CMK.
In a big Environment with a lot of different Teams id would sometimes be very helpful when you could give the Users read only access to group of customer/sites/host/services and full access to another Group of customer/sites/host/services.
As example the Application Owner can see all his Services on the Application Server and the related Services on the Database Server in CMK. On his own application Server, he has full access (Acknowled, Downtime,…) and on the Database Server he can only see the Services but has no Permission to do anything with this Services.
this setting and rules controlls only what the user is allowed to see in the GUI but not what the User is allowed do do with this services.
If the user has the right to set downtimes or can enable/disable notifications in CMK, he can do so for all services that he can see in the CMK. As far as i now it’s not possible to restrict this right only to an group of services.