You are looking for a very restricted environment. This is possible but you should really speak to your Customer Success Manager, Chris Hunt. He can provide you further information but here are a few things that you can consider...
1 - System Setting Permission level - If the Permission level is set to Enhanced, users will only have access to the work items that they have a Role on and nothing else.
2 - External Users, similar to Enhanced Permission, this is a user that can only have basic access to work items they are resources on.
3 - Profiles can specify what users can see or not see within the system. For example, you can remove the Add function from the work plan toolbar so that a user cannot Add a work item from the workplan of that work item type (i.e. Task). Or you can specify which modules can be seen in the Navigation bar for the Profile.
4 - Custom CSS - this can be used to not only change how the UI looks but what can be seen. For example, you can hide the New --> Add Project in the Navigation Bar.
5 - Last, you can set up Validation Rules that will not allow certain fields to be modified based on specified criteria.