Security Roles
Privileges (create, read, write, delete, append, append-to, assign, share) applied to tables, with access levels (user, BU, parent-child, org). Every user needs a role.
Business Units
BUs create data boundaries. User-level access limits to records you own; BU-level to records in your BU. Model BUs on your org structure.
Teams
Users can belong to teams. Teams can own records. Shares records with the team’s members. Useful for cross-BU collaboration.
Hierarchical Security
Manager hierarchy grants managers access to direct reports’ data. Useful; configure carefully to avoid unintended data exposure.
Common Misconfigurations
Giving ‘Organization’ access level when ‘Business Unit’ would do. Not restricting Append-To privileges (they control whether a record can be associated, not just opened). Audit quarterly.