Hi
In your custom BO at root level you should use association with annotation [RelevantForAccessControl]
[RelevantForAccessControl] association toBusinessPartner to Company;
you can get details for access control in SDK document under topic "Define Access Control"
Regards
Sunil