How do I make it so a user can only access certain network devices rather than every device on the network through Cisco ISE?

Not talking about access list. For example there's a switch on the network that I want someone to be able to access so they can change configs remotely, but I don't want them to be authorized on any other device.

I can see how I can I can assign nodes to groups, but I start getting a bit lost when it comes to how to set up policies and how to give a user or user group access to node groups, if that makes sense. I messed around with it a bit but couldn't figure it out.