Hi @Agzem, how are you doing?
I believe you can achieve what you want by creating a new Role for each user and specifying the field Grant read privileges to specific documents, like the image below:
As you can see I created a new Role which grants read privileges to apm-* but only for production environment.
You can read more about it in the document-level-security page.