How to restrict access to contacts based on user group and fields?

Hello, I am using Odoo 15

I want to set write permission on res.partner only based on certain conditions: If a field on the partner has a certain value, and the user has a certain group, he shall get write access.

Example: We have a flag "CRM contact" on res.partner and now only users with the "CRM" group shall be able to edit these contacts.

I tried this with record rule, but failed. I created a rule for res.partner, and  I used this domain filter:

[('x_studio_crm_kontakt', '=', True)]

and I added the CRM group, and I set read/write/delete rights.

But nothing happens. 

Any Ideas, Experts?

thank you, Johannes