In the admin section of the GUI (User icon in top right corner > Admin), you can create Permissions and assign them to Groups.
Each "Permission" consists of (View/Add/Change/Delete) for one or more object types.
If as you say, these users currently have read permissions to all objects, then either:
- they are in a group which has been granted all read permissions
- you have set EXEMPT_VIEW_PERMISSIONS in configuration.py
Therefore you will need to modify that to revoke their existing permissions.