you can follow these steps:

1. Add a Many2one field for the CEO in your resignation approval model.
2. When a CEO approves a resignation request, check if the employee's company matches the CEO's company.

from odoo import models, fields, api, exceptions

class ResignationApproval(models.Model):

    _name = 'resignation.approval'

    employee_id = fields.Many2one('hr.employee', string='Employee')

    company_id = fields.Many2one('res.company', string='Company', related='employee_id.company_id', store=True)

    ceo_id = fields.Many2one('res.users', string='CEO')

    @api.multi

    def action_approve(self):

        for record in self:

            if record.ceo_id.company_id != record.company_id:

                raise exceptions.UserError("You cannot approve the resignation request for an employee from another company.")

            # Add your approval logic here

This should be covered by standard authorization management. Unless your custom module override any of this.

In User access right remove access to Multi Company. (In the bottom of the screen.)

In the top of the screen, you can define allowed companies.  Then they would not be able to access any registration for employees outside the company for which they have access.