We set the partition of the process to match the partition of the user, and then the user was allowed to see the process. Once we turned mac_seeotheruids back on, the ability to see the process was removed. Mac_seeotheruids takes priority over mac_partition, but still has ability to add to the security when used in conjunction. Also, keep in mind, that partition "0" will always take priority over the partition labels. Anyone of the wheel group will still be able to see the processes of the other users regardless of the partition a process is set to.
How will we use these two together, in an actual business situation, is quite simple. If you are allowing primary groups to see other processes, you can set users from the same primary group to different partitions.
Primary group: Users
Joe Partition/10
John Partition/10
Joan Partition/11
Lisa Partition/11
Max Partition/15
In a situation like this, we are separating people in sub-groups, but without having to deal with the DAC (discretionary access control) caveats. Say Joe and John are in the accounting department, and Joan and Lisa are in the HR Department. Max, he's in accounting as well, but being a new employee, we don't trust him just yet. So, what we've done is given each department a partition, and the new user a semi-trusted partition.
(