Zenoss 4.x and Earlier
When a user is set up to use Administered Objects, other devices that were not specified in their Administered Objects tab may also be displayed. This may be undesirable if the administrator's intention in specifying Administered Objects for the user was to restrict his / her access to those objects alone.
In this scenario, Zenoss is operating correctly. The user can see all objects if a 'Global Role' (Manager, ZenManager, ZenOperator, ZenUser) for that user remains in place after 'Administered Objects' were specified for the user. To restrict a user's view to only the administered objects explicitly defined, a user should not have any global roles defined. The Global Role may have been created as a default value when the user was created or during authentication with LDAP or Active Directory (if integrated authentication is being used). Revocation of the Global Role is required to restrict access to the Administered Objects.
Navigate the user's Edit tab and remove this global role by CTRL-clicking (or COMMAND-clicking on a Mac) on the active role in this field. After saving, the user will only see what is made available to them via Administered Objects.