Restricting Viewer Permissions of Objects in the Repository
For viewing rights to a model (or glossary, etc.), the simplest best practice is to control viewing via configuration access, and not through restricting viewer rights to specific objects which may be in a configuration. This suggestion follows from the fact that any user who needs to open a configuration MUST ALSO have view permissions to all of the models in the configuration (either by explicitly assigning the Metadata Viewingcapability object role assignment to all the objects contained, or if no such assignment has been made, then the object is by default viewable). So, the easiest way to manage access to a model is to simply not include it in any open configuration.
However, if there is a need to define view restrictions on portions of the repository, limiting viewing (even in the repository manager) to a certain set of users, you may use either the View Restricted or the Metadata Viewingcapability object role assignment.