Since all trigger triggered spels are run under superuser account, data partition and functional access constraints will not work. In this document I provide the spel script to check what kind of functional access for the object has role of the logged in user.
To call provided function use following statement:
api::manual_security("cr")