This is not trivial.
First, you can NEVER allow users to see the database objects individually. You need some kind of switchboard form or dispatcher or whatever you wish to call it.
Second, you need to be on a domain where authentication is external to your local workstation (because otherwise someone could just lie about who they are)
Third, EVERY FORM that you open through the dispatcher has to be coded to recognize the roles that individuals could possibly play.
What you want to do is not impossible but the more complex the app, the more tedious it will become to maintain this kind of control. I helped myself to do this by defining some "prototype" forms - one for bound forms and one for unbound forms - that implemented some of the security checks in the prototype "event" codes. Things like the FORM_OPEN, FORM_LOAD, FORM_CURRENT (for bound forms), FORM_CLOSE, etc. I also implemented common command buttons like COMMIT, CANCEL, CREATE, REMOVE, etc. for the various functions that were possible in the form.
The trick here is to keep everything meticulously updated. If you have a bug in one form's FORM_OPEN routine, odds are pretty good it would be everywhere that your prototype was used, so you cannot "let it slide" to fix it for ALL affected forms. The overhead is higher as the number of forms increases. It's just a cost of doing business, I'm afraid.