Hi Biao,
It seems to me that you have to set up (as normally) different module roles with different rights and at the end also different user roles.
1 - Define the different users per module (manager, staff)
2 - Define the different user roles (manager, staff)
3 - Setup access per entity in domain model ( read & write, read only)
4 - Applying entity access limits the objects that are retrieved by the retrieve action to only those that the current user is allowed to see. For example if you want that a user sees just information of his department you can apply this in the MF of that retrieve action.