From What I gathered and yes I read all the manuals and wikis and done testing for the following:
The User access model in ERPNext is based on allowing access to user roles on data through user permissions.
But It is not clear to me how to Restrict access to all but a select few.
To clarify by an example
I want all users with a procurement roles to have the regular access to my suppliers but restrict access to suppliers who belong to a certain supplier type to a user or two, who of course these two users will have access to ALL suppliers among those restricted