Can we define custom roles and limit access to specific project objects or fields?

Easy Redmine's role based access control (RBAC) is very granular. It separates read, edit, delete for every entity type containing potentially sensitive data. Roles are user defined and there is no limit to the possible combinations.

On a more detailed level, even specific fields are controled for visibility or editability based on user's role.