Tried the <restrict/> tag from section "13.6.4. Securing pages"?
I'm not sure I understood the entity restriction question, you could just add a where to the query and add restrictions from identity
PS. Sleep. Productivity isn't related to uptime ;-)
Wow, that was easy! I reverted all changes described above and only put one line into my pages.xml:
And now all department pages can only be accessed by a superadmin.
It is such a small chapter, I have overread it somehow. You need to paint it red and put many exclamation marks around .. and blink. :)
Thanks a lot, now I can go to increase my productivity with a clear conscience. ;)