There exists a lot of doctrine, but no easy answers.
Access can be regulated by role, task and sometimes security level (secret, top secret or some commercial equivalent, but the more granular these become, the tougher it gets to administer them and to adapt to new conditions (reorgs, changes in role, task, etc.). What you specified is ?data-regulated? filtering, and the question then becomes who has done the work to relate role, level and task to data (entities, attributes, etc.). SAP, for example, offers all sorts of ways to “filter” according to role and task, but within those applying additional “data regulated” access filters is still challenging.
One way ?data regulated? access filtering can be implemented is through Business Intelligence/data warehouse approaches. The extract, transform and load process in effect prepackages the source data and keeps the users out of the source applications. Within the data, you can further prepackage data into cubes that not only work as filters, but often at least as importantly help otherwise confused users to get to what they want. A lot of data access violations are not deliberate, but the inadvertant result of a query writer forgetting to qualify a query.
If the access requirements you have in mind are relatively specific(e.g., enable a user to check inventory availability with dynamic user-level inventory location filtering), or perhaps you need to include write capabilities into the source application, Web Services can be the answer. Developing a ?Web Service? that supports the specific task can be used to publish suitably focused query or update capability. To invoke that capability, the user would then need access to some system that can issue a conforming web services call to your web service, and therefore the web service dialog call-respond dialog makes it easy to establish arms length relationships. The web services information request – although it indirectly would kick off SQL – would come as an XML document that would need to conform to the specs defined in your web service call, and the calling program would never see the SQL.