Not sure what database you are on, but we are on DB2/400.
Probably the surest way is to control the log-in ID that the third party tool uses and limit its authority. Any third party tool that we use has read only authority over the OneWorld objects Also, on the AS400 you can completely exclude certain users from certain files - I'm sure something similar exists for SQL and Oracle databases.