Generally, the best method is called record level access control where the very account they use to open the database file controls which records they can view and/or edit. See "Editing record access privileges" in FileMaker Help and check out this particular sub section: "Entering a formula for limiting access on a record-by-record basis" for a description of how to set this up.
Note that when you perform a find, records for which the current user does not have access permission to view are automatically omitted from the resulting found set.
fascinating! Can't wait to see if I can implement this. I appreciate your quick and informative reply.