You can configure different level of access for different users. For local user creation, you can go to admin -> AAA -> local users. During the username creation, you will be able to restrict user's privilege. You can also assign the user to a specific security domain, where they will only be able to access whatever Tenant associated with that domain. If for whatever reason, the user needs access outside of his security domain, you can also setup RBAC to allow access to specific DN.
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI_Fundamentals_BigBook_chapter_0110.html