For the most part the dashboard access/permission is network based. So you would select a target network, and the user will have the following options to choose from:
- Guest ambassador: User only able to see the list of Meraki authentication users, add users, update existing users, and authorize/deauthorize users on an SSID or Client VPN. Ambassadors can also remove wireless users, if they are an ambassador on all networks.
- Presented with user management portal only.
- Monitor-only: User only able to view a subset of the Monitor section in Dashboard and no changes can be made.
- Read-only: User able to access most aspects of a network, including the Configure section, but no changes can be made.
- Full: User has access to view all aspects of a network and make any changes to it.
https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboard_Access/Managing_Dashboar...
Assuming you have a Combined network this might limit your control, however I believe you can use TAGS to give you control on a per-device type basis. If you have the MX on its own network then you can limit users from read-write to read-only etc.
It doesn't get as granular as you are looking for unfortunately. I wish it did.