What drives activity visibility in MS CRM?

I've been doing a deep dive into the effects of the security model. I recently noticed that the UI does not support sharing of activities to users or teams. This came as an unfortunate surprise because I was planning on "sharing" to be my way out of a tricky situation concerning visibility of activities between business units.

Imagine a scenario with three business units: Executive, Finance, and Staff where Executive is the parent business unit to both Finance and Staff. The security roles in use all allow organizational read for accounts and contacts but only deep read access for activities. The organization President and VP are members of the Executive BU, the CFO and accounting pros are members of the Finance BU, and the marketing, sales, and service folks belong to the Staff BU.

With this basic setup everyone in the company can see any account or contact due to the organizational read privilege. The President and VP can see any activity because they are at the top and have deep read privilege on all activities. The people in the Finance BU can see each others activities due to the same deep read privilege. The same is true for people in the Staff BU. By design people in the Staff BU cannot see activities owned by members of the Executive and Finance BU and members of the Finance BU cannot see activities owned by members of the Executive or Staff BU.

Now the problem is that sometimes the President is communicating with a CRM contact and may make a deal with the contact that others in the company need to know about. However the security roles don't allow this. My first thought was all you need to do is share the activity out to other users and they could see it, but as I stated earlier that is not an option.

In turns out that CRM is smarter than I thought about activity visibility. When an activity is linked to a record using the Regarding field, the owner of linked record inherits visibility to the activity. Therefore they can see the activity even if their native security role would prevent it. It is important that this only applies to the owner of the linked record not everyone that has visibility of the linked record. It also turns out that you can take this one step further. If you share access to the linked record than anyone that you granted shared read access, will also be able to view any activities linked to the share record.

One other side note – this inherited visibility does not apply unless the activity is linked via the Regarding field. Linking through the activity parties as sender, recipient, organizer, etc does not make the activity visible to the owner of the contact or account record. Therefore if the President emails a contact owned by a Staff member the Staff member cannot see the email unless the President explicitly links the email to the contact in the Regarding field.