Hi Anton,
In order to implement what you describe you will likely want to create three groups to delineate your Manager, Officer and Staff roles.
From there, you'll create access rights that allow members of these groups to either read, write (modify), create or delete records of specific models. You will need to identify all the models that you want to allow each group to have access to. From your description, I am guessing this will be Employee (hr.employee), Time Off (hr.leave), Expense (hr.expense) and/or a number of others. You need one access right per group per model to grant access.
Once you have given access rights to your different groups (very general - applies to all records in a model), you can refine things further by adding Record Rules. Record rules restrict access already granted by access rights Record rules are what you would use to restrict access based on the department a given user belongs to, for example. You will use domains to define the scope of records on which the read/write/create/delete permissions should be granted for each user.
Record rules can be a little confusing to implement, so I would strongly recommend you read the documentation on Security in Odoo before moving on to this part. I would also recommend that you have a look at existing Record Rules by navigating to Settings > Technical > Security > Record Rules (or just type "record rules" in the app switcher). You'll need to have turned on the developer (debug) mode to see record rules. Have a look at some of the existing rules with "employee" or "time off" in the name to get some inspiration.
If you run into any more specific hurdles, let us know and we'll try to help you solve whatever problems you run into.
Good luck! Oh, and ... don't give up. Access Rights and Record Rules are super powerful tools once you understand how to use them. The knowledge you gain will be very useful as you continue to use Odoo.
