Hi
Go to Tx RSECADMIN and create a new object adding your ZEMPLOYEE and 0TCTQUERY one with ZEMPLOYEE as * for those two queries 0TCTQUERY restricted you want to allow to see all.
Then create a second one limiting the ZEMPLOYEE with authorization variable and the two other queries you only want to allow to see the two employees etc.
hope it helps
Martin