Welcome to the forum...
The best place to start is here:
administrators: full access, full permissions. -- This can be done in Permissions settings of Retool
agents: In tables can see only reserved data and reserved table, only update on data -- This may be a little more complicated First, you have to create the agents group and then in the table inspect panel set hide to true if the current user is in the agents group.
Seeing or showing "reserved" data -- not sure what you mean here.
secretary: all tables, all data, no delete
In the delete query panel go to Advanced tab and add conditional in Disable query if current user is in Secretary group.
I have managed group permissions in a few applications and it can be complicated but you will eventually get there. Post back if you need something else.