Sharing Records - unexpected behaviour
When a user shares a record with another user the sharing user specifies the permissions to share.
Consider this scenario:
a) User A is a member of one role only that gives him None - Delete access and Organization Level Read and Create Access on Accounts.
b) User B is a member of one role only that gives him User Level Delete access and Organization Level Read and Create access on Accounts.
c) User A may create and view accounts but not delete any and User B may create and view accounts but only delete the ones that he owns.
d) User A owns an Account, "ABC". Neither User A nor User B can delete the ABC record but both users can view the account.
e)User A shares the account with User B and grants Read, Write and Delete.
f) The CRM application will allow User B to delete the account, "ABC".
User A and User B have been able to acheive an outcome that neither of them could achieve separately. Although this may seem wrong, it is in accordance with the CRM security and sharing model.