An API key has been configured to have access to select user or device groups, but when a user/device related GET API call is used, it can view all users or devices.
Privileged Access Manager releases 4.1.5 and below
The user to which the API key is associated is a member of a group that has access to all users/devices. You could edit an API Key definition to reduce its privileges to use the External API by removing roles that were directly assigned to the user account. However, you could not remove roles inherited from user groups of which the user was a member.
The 4.1.6 introduced an enhancement that allows you to reduce API Key privileges by removing roles inherited from user groups of which the user was a member, see the following item on page New Features in 4.1.6: