Rights of access are given to user on each record separately. All records of a database, independently of tables, to which they belong, are broken into some not crossed sets - departments. Concrete user has identical rights of access to all records of one department. Single field of natural type, in which number of department is specified, can exist in record - we shall mark such fields as "legal". If user have no rights to a record with any operation, then record does not exist for this user (he don't see it within of this operation). If legal field is absent in record, then user has all rights to this record. This field is accessible for writing with the same bases, as all other fields of record.
Any user, who enter data, needs right to update, because he can make mistake during inserting values. Anyone, who update fields, can write senseless values or assign "null" into them - both that, and another is equivalent to deleting of record. Right to update without right to read is looks very strange. Therefore right to update is senseless without rights to delete and to read and should be complemented by them - we shall name such whole right as right to operate (operate = update + delete + read). So access to departments accepts only three values: read, operate, absence of access.
It's reasonable to unite rights of one user into array inside DBMS, and to give access to these arrays through system table "right2department".
Value, which is assigned by default to legal field of each record, which is inserted into database by user, is named as trace. User's name, his password (encrypted) and trace are listed in system table "sys4user".
Records, received by graphic interface, must have mark about that, user can only read these fields or also change. This one-bit mark is calculated on base of value of legal field and element of array 'right' of table 'right2department'. It's comfortable to send calculated value in record itself in additional field of datatype 'bit1' (0=read only, 1=operate). Such "calculated" field don't exist really (and certainly is inaccessible for writing), and we shall mark them as "secondary".