With API 3.12 through DataControl and DataControlRoleValue is possible to give access only to some specific objects. 

For instance if we want that the users that belong to the security role testRole can have access only to the documents connected with the business partner with key 20867070 and 22210381, a DataContol object like this has to be posted:

{
    "objectName": "Document",
    "attribute": "businessPartner.key",
    "dataControlRoleValues": [
        {
            "role":  "testRole"
            "valueType": "Long",
            "value": "20867070"
        },
        {
            "role": "testRole",
            "valueType": "Long",
            "value": "22210381"
        }
    ]
}

• objectName the Dataloy object that has to be applied the access control
• attribute the attribute name to be used to restrict the access
• role the security role that will use the access control
• value the value to use as filter to restrict data
• valueType  the type of the value (Integer, String)