How can I configure access groups for only users who are employees (not resources)?

Here are the high-level steps:

1. Clone the Case Worker and Manager Job Role and related Supervisor Duty roles respectively.

   Also see: Why can I see cases that I shouldn't be able to see?

2. Add Employee users to the new job role.

   Also see: Why don't I see my custom role in the corresponding system access group?

3. Associate access group rules to the system access group.
4. Publish the access group rules.