I learned an important lesson, again, for making sure you have all of your facts.
This is often referred to, in English, as “Crossing your T’s and dotting your I’s.” (my blog title is just a twist on that to confuse people and get them to read this article. 
)
Rule #1: Never Assume
What was my lesson learned? Never assume. I should know this by now; heck, we should all know this by now.
But assume is what I did, and it took me way longer to discover the truth than it should have.
The Scenario
I configured Hierarchical Security for one of my customers to fit a business requirement. After some initial struggles with comprehension and implementation, it was working the way that the documentation says it should.
Then it wasn’t working like the documentation said it should.
People could see records (mostly activities, in this case) that were very much outside of their area and it made it seem like the whole Hierarchical Security feature was broken.
I reviewed all of the user settings and security roles, but indeed, logged in as a normal user, I could see activities that were not theirs.
The Chase
Running out of other options, I called my friend Scott Sewell and we discussed the options, I ran security reports using my SnapShop! utility, and we looked at the Principle Object Access table, and still didn’t see how in the world this user could see these records.
Then Scott said:
Are there any security roles assigned to any teams he is a member of?
“No,” I said. “We don’t have any teams for users like him.”
But just to be safe, I went a looked. Sure enough, no teams were assigned; but he was a member of the business unit team since everyone is a member of the business unit team.
Surely there are no security roles on the business unit team. Or are there?
The Solution
Just to be safe and cover everything, I opened the business unit team, clicked on Manage Roles, and what did I find?
Not one but TWO security roles.
These two roles totally circumvented all of my carefully crafted security for this user and gave him unprecedented access to other records.
I removed the two roles, refreshed the activity view, and the records previously visible, were suddenly, and appropriately, no longer visible.
Lesson Learned
I am working with another partner on this customer and there were several cooks in the kitchen, so to speak.
Never make any assumptions about configuration just because YOU didn’t do something.
