Here is the manual: http://www.epesi.org/Permissions
and here is a sample code:
Utils_RecordBrowserCommon::wipe_access('company');
Utils_RecordBrowserCommon::add_access('company', 'print', 'SUPERADMIN');
Utils_RecordBrowserCommon::add_access('company', 'export', 'SUPERADMIN');
Utils_RecordBrowserCommon::add_access('company', 'view', 'ACCESS:employee', array('(!permission'=>2, '|:Created_by'=>'USER_ID'));
Utils_RecordBrowserCommon::add_access('company', 'view', 'ALL', array('id'=>'USER_COMPANY'));
Utils_RecordBrowserCommon::add_access('company', 'add', 'ACCESS:employee');
Utils_RecordBrowserCommon::add_access('company', 'edit', 'ACCESS:employee', array('(permission'=>0, '|:Created_by'=>'USER_ID'));
Utils_RecordBrowserCommon::add_access('company', 'edit', array('ALL','ACCESS:manager'), array('id'=>'USER_COMPANY'), array('group', 'permission'));
Utils_RecordBrowserCommon::add_access('company', 'edit', array('ACCESS:employee','ACCESS:manager'), array());
Utils_RecordBrowserCommon::add_access('company', 'delete', 'ACCESS:employee', array(':Created_by'=>'USER_ID'));
Utils_RecordBrowserCommon::add_access('company', 'delete', array('ACCESS:employee','ACCESS:manager'));
This code removes existing access rights from CRM Companies recordset and replaces with custom rules.