Security profiles can be created from transactions, infotypes to specific fields and I believe, even for amount based restrictions are possible.
The security profile can be assigned to a role or person.
Here I expect role means position. If the position is being shared, then the sec.profile needs to be assigned to the person.
Of course, PBO module part of these programs can be enhanced to provide further restrictions. As you may be aware, PBO modules are executed before the screen is displayed. PAI modules are executed after any input like pushing the button or pressing enter.
User code can be in the form of BADI, BAPI, ABAP Enhancement, user exits or functions (in LXPADU01 for PBO and LXPADU02 for PAI).
See link