We have a workaround to make sure that a user from tenant1 is not able to see a monitor created by a user from tenant2. This is by adding this to the rolesearch in the authz section of ldap configuration.
rolesearch: "(&(|(cn=CSG_OPENSEARCH*)(cn=elm_*))(member={0}))"
userroleattribute: null
userrolename: "disabled" <changed from null to disabled>
Thanks
Murali