Hi @peter.ridzi,
[edit: the following two sentences are incorrect, see comments below]
in Kibana 5.x the objects stored in the .kibana index are always accessed using the user specified in elasticsearch.username. That is why the permissions assigned to the logged-in user do not take effect.
Implementing full security on the saved object level is something that is planned. The currently recommended workaround for multi-tenant Kibana setups is to run multiple Kibana instances with different kibana.index settings.