The long answer is
this video, though it's about 50 minutes long.
There is also this:
http://bobsguides.com/revolution-permissions.html
The short answer:
1. Create a Resource Group called AllDocs
2. Put *all* resources on the site in that Resource Group.
3. Create a Resource Group Access ACL entry for the Administrator group with a policy of Resource, context 'mgr'.
Do *not* put the users who can only access the single resource in that group.
That will protect all those resources from non-admins.
Now, you need to override that to allow access to the single resource for specific users:
1. Create a User Group called SingleAccess containing the users who can access just that resource,
2. Create a Context Access ACL entry for the group for the 'web' context, and another for the 'mgr' context, use the ContentEditor Policy.
(This lets them log in and see resources in the 'web' context in the tree).
3. Create a Resource Group called Single Access and put the docs they can see in it.
4. Create a Resource Group Access ACL entry connecting the SingleAccess User Group with the SingleAccess Resource group, with a context of 'mgr' and a policy of 'Resource'.
That will let the users see, edit, and delete resources in that group. If you don't want all those permissions, uncheck some on the ContentEditor Policy (or, better, duplicate it, specify the duplicate policy in the Context Access ACL entry, then uncheck permissions on the duplicate Policy).
Also, go to
http://bobsguides.com/revolution-permissions.html. On the top menu, go to MODX Security Permissions -> Revolution Permissions and look at the Basic Security Tutorials and Advanced Security Tutorials.
There is also this:
http://bobsguides.com/hiding-resources-in-the-manager.html