Okay, I see I'm still not grasping this correctly.
My confusion came from this: suppose I go to the Contacts list, and select a few contacts. Then I can do two things:
1. Choose Mass update, and from there I can "Assign to" some user;
2. Choose Mass Assign Security Groups, on the very bottom of the screen, and assign the records to a Security Group.
So, it seems there are two "assignment" concepts, only I wasn't interpreting them correctly.
Would you say the following interpretation is more correct?:
one Assignment is to assign records to users, which determines ownership, as you explained.
the other Assignment is to assign Security Groups to records, which has nothing to do with ownership
The actual right to access something will come from these things "matching", according also to what is defined in the applicable roles.
This is an excellent article and it really helped me develop my configuration. I have a question, though: how exactly do we define "ownership"?
When you say "Create a role called Owner Only and set the rights for everything to Owner", this will be used in conjunction with the assignment of records to specific groups.
So if I understand correctly, "ownership" here would be defined like this: a user "owns" a CRM record (of any type) if-and-only-if that record is security-suite-assigned to a security-group to which a user belongs.
This is not to be confused with simple record-assignment (the "assigned to" field), or record creation (unless record creation causes security-group-assigment, in the cases where it is created with relation to a previous record, and so inherits the parent record's security groups).