Andy Brownsword checks out who has access to what permissions:
Item level roles are what we’re digging into here. Before we start, it’s worth defining a simple security model so it’s applied consistently. Let’s be real, the instance might not have a long term future but let’s do it right at least, eh?
Read on for a few high-level suggestions, details on what permissions do not carry over from parent objects, and more.