How to prevent edit, or create regardless of application used


We have a case where by default we would like to prevent supervisors (manager) of employee from editing the records of their subordinates (in person-table). This can be prevented from the Web Designer (, but the supervisor can still edit the attributes from Manager (or even from API if they know how).

It seems that there are various ways which can be applied, but perhaps most secure way would be to do this on the level of permissions so that regardless of the tool used, they cannot find a loophole. Perhaps the script called on saving could be used, but that would in this case require identifying the logged in user and their person-object.

Is there already a KB-article, that describes how to implement this in the most practical way or do you (or anyone else) has recommendation of best practices when it comes to requirements like this?