Access to attributes of an entity is controlled by Access Rules and Module Roles.
For example, on your Manager Entity, you add an Access Rule for the Module Role ‘User’ and set the EmailAddress attribute to ‘Read’.
Any Project User Role, that is member of the Module Role ‘User’ can now read the attribute EmailAddress.
Every user can see every bit of information, unless it is prevented by Entity's access rules or by Userroles. So basically, don't set up any authorization and you will be fine, but probably you won't get a high grade. Better is to check out Mendix learning path about security