It seems quite difficult!! Right?
In the User record you have the definition of what each can see....
1. UserID (which is poorly named... perhaps UserAccess might be a better alternative. One usually assumes a UserID will be a unique value)
In the security you have a privset for Manager. Here you limit the records to allowing them to view records where the UserID&Group match the records in the other tables with the same UserID&Group values. If you create a many to many relationship between the user table and the datatable by using UserID & Group, you can just allow records which belong to that relationship.
In the Datafile, the records are marked by the viewable user... but it does not appear they are also marked with a Group. I think this is essential.
You can capture the values in the users records by using variables or you can apply the same relationship to every table you want to restrict. You must make the same privSet rules in all tables where you wish to restrict access.
I hope this leads you to look in the right areas. (I'm tired so hopefully not confusing you)
Privileges are used to isolate the accounts and using the popup options you can designate scripts, layouts, etc as vieweable, modifable or not.
People are then given an account name and password and a selected privilege set is applied to that account. The privilege set can be changed at any time, best to have the account offline.
The easiest way to design privileges are to start with everything off and then assign the privileges to the lowest rank. Assumming the privileges to be hierarchical, you would duplicate that privilege set, rename it and then add extra functions. And so on.
Sometimes a privilege set is needed for specific functions and so you can create it and isolate those functions, turning off all others.
Navigation now becomes an issue and you should produce layouts designed for a privilege set and that only contain buttons and fields that work with that privilege set.
If you use account names and account privileges in an if/else to designate actions, be aware that changing the account name or privilege set name will make the if/else not work correctly.