Restrict access to reports or attachments? Project Module

I’d like to ask if there is a way to hide the reports button or prevent access to certain attachments? The permissions of the current user on screen is the imported « base user » and « project user » roles.

Reason for this is that the financial report shows the hourly rate of employees that have logged their time. I was supposed to give access to an employee who manages people under him but I don’t want him to see the hourly rate of other employees.

The user with his current permissions is also able to view previous reports generated since once a new report is created, it automatically attaches it.

What would be the best way to go about it?

you have to define two groups and allow one group to access that

and can be filtered like self.createdBy = user or user.memberOf = groupName

psudocode written

Do I change it in the view or action view? I still want the person to have access to the page but just not be able to view attachments or reports.

Alternatively I could just have the reports disabled on that user and have the reports not automatically be added as an attachment just in case they need to make use of other attachments.