OK I don't know how you have laid out your CME so I will say in basic terms how to limit access to CME. (OCM would be similar).
1. Create an access group for the users that need CME access
2. At the configuration level grant the read permission to your access group. Ensure the Replicate option is NOT selected at ANY step.
3. At the Environment and Resources levels REMOVE the read permission from your access group, ensure propagate is selected.
4. At the Environment level grant the read permission to your access group, ensure propagate is NOT selected.
5. Repeat step 4 at each folder until you get to your "default" application. Probably just "Applications" but you may have other levels.
6. Grant Read and Execute to the access group on the "default" object.
7. Grant Read to the access group on the Hosts Folder, ensure propagate is selected.
This wil give the users in the access group permission to start CME, but no permission to see any objects other than hosts.
You will need to go down the resources tree setting read (no propagate) on each folder, resources - persons etc.
I would normally allow the permission to propagate at the final folder level, but I would split persons into sites and then into agent and supervisor folders.
Once again ensure the Replicate option is NOT selected at ANY step, and be very careful if this is a live environment, try on a model first!