I will here take the example with sales but i'm looking to extend this to several models.

There are 2 kind of users:

• The regular ones with the usal groups (group_sale_salesman,...) and usual rules.

• There are also special groups "secret_user" and "secret_manager" of users.

1. Regular users shouldn't be able to view "secret_user" sales and other documents.

2. "secret_user" shouldn't be able to access regular users and other "secret_user" documents.

3. secret_manager" shouldn't be able to access regular user's document but can see "secret_user"'s one (like group_sale_salesman and salesman_all_leads)

4. A user needs to be in "secret_manager" and "group_sale_salesman_all_leads" to see all sale orders.
   
   

How to make a rule checking if the record was created by a user in "secret_user" and so restrict the access to it ?