I'm having problems with security in Microsoft CRM 4.0. I have a custom entity called "Rebate." Ownership of this entity is set to user. I've also setup a security role that allows user create, org read, and user write. When I apply this security role to users the write privledge seems to be set to org instead of user even though it shows as user when I look at the role. For example:
1) User A creates a rebate record.
2) Automatic workflow changes ownership of the record from User A to User B (this does work)
3) User A and B can both still edit the record.
Both user A and B have the security role I've created assigned to them and no other role they have assigned has any security settings defined for the rebate entity. Why is this happening? What do I need to do to make sure that only the owner can edit the record? How can I diagnose where the ability for users that don't own the record to write to it?