What is the best way to give employees fewer rights within my HUMBLE environment?

Within HUMBLE we use a standard role set, for instance a user role and a supplier role. Besides that it is possible to grant extra or less rights per user. That way you can determine exactly what a user can view and what he or she can modify.