nrf51822 password on characteristic

Yes. You can achieve this by setting the authorization flag (rd_auth and wr_auth for read and write authorization respectively) in the ble_gatts_attr_md_t type for a characteristic when initializing it. This allows you to intercept the write and read requests to decide whether the requests should be accepted or not.

Here is the message flow chart for the write request with authorization.

In general the message flow charts is good to use to see how this stuff works. You find them all here for the s130 v2.0.1.

Yes. You can achieve this by setting the authorization flag (rd_auth and wr_auth for read and write authorization respectively) in the ble_gatts_attr_md_t type for a characteristic when initializing it. This allows you to intercept the write and read requests to decide whether the requests should be accepted or not.

Here is the message flow chart for the write request with authorization.

In general the message flow charts is good to use to see how this stuff works. You find them all here for the s130 v2.0.1.

how specifically does authentication work? By what principle does it allow / disallow devices?

You get an event from the SoftDevice when the peer wants to read/write, and then you can decide whether you want to update the value/return the value.

but how do I know who this peer is? how to separate devices and where to check their signs

Every connection has an associated connection handle. You identify the peer by this. The peer address is provided in the CONNECT_REQ event that also defines the connection handle.

but what if it is a group of people / devices (administrators) who need access, and another group (users) should not have. how can they be divided?