We have designed and developed a custom addon in Odoo Community v12 regarding building management. There are three types of security groups in our case which are normal building user with only a read right and the building manager and officer with CRUD rights of 1,1,1,0 and 1,1,1,1 respectively. The officer and the manager can attach documents to the Building model through relationship created with ir_attachment table. 

However, we have a situation such that the normal users should not see the attachment added for the building in any of the circumstances (including rpc). If we are to restrict the permissions to ir_attachment then the user cannot see any attachment in any other odoo module. We created a seperate model for keeping building attachments named 'building.attachment' but is this a recommended approach as there is already a table called (ir_attachment) in odoo database that keeps attachments? Beacuse we will develop tens of addons with such case and creating an attachment table for each addon seems to be an inappropriate approach.

We tried to write an access rule for the respective record in ir.attachment to restrict normal users from reaching (ir.model=building) but haven't come across any application that uses such kind of restriction. 

We will be very appreciative if anyone has any idea on solving this problem.