OK I believe I have everything fully resolved but there is one last thing I'm not totally clear on.
Using your help I was able to get the desired behavior for project records based on their creators and owners, however I did this with strict rights on.
I would rather be more strict than less strict, but I'm not sure how this deployment is going to evolve.
If I came to an impasse some time in the future I needed to flip the strict rights setting, would it be easier to manage the side-effects that would come from starting with it enabled and then having to disable it for whatever reason? Or vice versa? Or is it too difficult to tell?
I can't even begin to foresee what kind of problems might occur in one scenario or the other.
I appreciate your help. I will try some of this stuff out and see how it works but I was hoping you could clarify one thing for me:
Are groups inherited only at certain instances in the life of a record? Like is the "created by" group inherited at the moment of creation, or is it checked dynamically whenever that record is accessed, the groups of the creator are checked too?
Put another way, if someone creates a record, and then they are added to a group some times later, will that record also inherit that group? Or does the user have to be a member of that group at the time the record is created?