Krishna,
You may explore user groups (which in combinations with system level restrictions you already have can work pretty well)
But rather than going through such an effort, using an easy to understand naming convention for your FF IDs may work better. In cases where a FFID request has to be made by someone other than end user (on end user's behalf i.e. is delegated), the business requirement you are working on may become too restrictive. So a naming conventions as simple as F_ECC_SEC01 may work better than altering the BRF+ rules.
Regards
Shivraj Singh
