Hi @amitay
Read this section of this article which example how to limit the permissions that granted to be able to read a confidential attribute. You can either assign the permission at the ou level with a single group or manually assign the user specific rights to their workstation object.
Gary.