Dynamics 365 Security Gotcha – Notes & other related records

I was investigating an issue where a tester was able to view a note against an opportunity which they weren’t meant to. This note was owned by a user from a different business unit and the security roles assigned to the tester allowed for business unit level read only of notes. I checked and triple checked that the tester wasn’t inheriting any roles from teams or assigned a role that provided organization-wide visibility to the notes. I was stumped. Turned out my colleagues had seen this…