If I get it right you can create ToolRole helper Matrix table which will store aggregated permissions. It needs to be associated with Account table in order to use CurrentUser. You mentioned User 1 can edit certain tools, let say it will be Hammers, and User 2 can edit Drills only. This information needs to be stored somewhere and to have it in table make most sense.

You can assign users to ToolRole as you wish and then on Access entity for Tool you need Xpath as on image which will check: Those particular Tools are associated with those ToolRoles and those must be associated with current user. Only them you can edit properties. So if Tool is not associated with ToolRole which is associated with User then it wont be editable. Role is for editing so you need only 1 role and 1 xpath in it to cover that usecase. Another role can be for Read and without XPath it will show all Tools.

[Module.Tool_ToolRole/Module.ToolRole/Module.ToolRole_Account='[%CurrentUser%]']

Have ToolRole mapping for Admin somewhere and once you set it up it should cover your use case.

______________________________________________

Edit: with direct association to Role but this would require as many roles as many possibilities you need to map them