Restrict users (partners) to see only their records

Our company is working with partners and they are added like users in the ERP (we are using v12) with restricted access just to create new Leads and to see (read) only their Leads and only specific fields from them.
I’ve managed that with:

  • new Role Profile - Partner with no access to modules, I give them only link to Leads page
  • new Role Permissions Manager access only to Lead page - “only if creator” and “read”
  • new rule with different level only for fields that may see

Everything is looking good and works fine, partner see only his leads and when he opens one of his lead records this is the example URL link:
And the problem is that the partner can enter in the browser the following URL link for example: and see records that does not belong to him.
Basically, everything is restricted, but if the partner enters different lead number like URL link, he can see the data that should not be in his permission.