You are probably going to want to look into mapping the meta caps. This will let you have a function that individually right before WordPress decides on whether or not to give access to certain functionalities.
With that, you can do a check for the level of user (say administrator), and only grant access to read and edit contracts if the user meets that level. You can even take it further to not only check for being an administrator, but also check if the user has a certain ID (or set of IDs).
add_action( 'map_meta_cap', 'my_meta_cap', 10, 4 );
function my_meta_cap( $caps, $cap, $user_id, $args ){
if( current_user_can( 'administrator' ) ){
return array( 'edit_contract' );
}
return array();
}
You can also do cool things like check the author of the contract and such before granting access. You could make a custom rule that contract written by you can’t be edited by anyone else, but you can edit anyone else’s contract.
There are a few interesting references to learn more about this granular control. I found these while researching your question (in Google):