Provided that you were using host based authentication you could manually go through and assign read access to particular groups in FishEye. It wouldn't be automatic though, fisheye cannot infer read access from the OS user/group permissions to the physical repository
The way it is secure repos are ‘secure’ based on the ‘group’ of the folder housing the repository. If a repository folder is group-owned by group called ‘secure’ (or ‘hgsecure’) then only people in that group can see that repository.
The non-secure repositories are group-own by a group called ‘engineering’. And everyone is in that group. So basically it boils down to the linux file system permissions.