This might be something to keep in mind.. If you have two entities with a parental relationship between them, your users may still be able to re-assign child record to others even if they don’t have “write/assign” permissions on the child entity.
In the example below, Sales Person role does not give “write” and/or “assign” permissions on the Test SLA entity:
So a SalesPerson can’t do anything with Test SLA directly:
But they can still go to the parent record which is currently assigned to me:
And re-assign that record to themselves:
And here we go – that child “Test SLA” record is, now, re-assigned to the Sales Person user as well:
