Make sure that no one uses an account with a [full access] privilege set. Then set permissions for all privilege sets to use a custom privilege setting where they can only edit data if a "lock field" is empty. Use a script to "lock" the record by setting that field to a value.
See "Editing record access privileges" in FileMaker Help and check out this particular sub section: "Entering a formula for limiting access on a record-by-record basis" for a description of how to set this up.
I did grasp this way of doing through privileges* but the problem I have is that I can't seem to implement this in a data separation model, ie I can't assign record level privileges to a remote data set.
*though why the concept of absolute data is lost on Filemaker I don't know but that's a subject for another time. There are miriad examples where data should be read-only to everyone including super-admin, logs for example.
You can set it up on the data file. What I would do is define the individual accounts and passwords only in the data file--so you get the needed access control and so that deployment of interface files does not create an issue for users that changed/added accounts since the last update.
Set up the interface file to auto-enter a password. When a layout opens with references to fields from the data file, the password login dialog will appear for the user to log in.
OK, I'll give that a go. Thanks Phil.