Lately I've been involved in several discussions around how the Force.com platform handles object and record level security. I'm surprised that there's still a lot of confusion around this topic despite all of documentation available out there so I'll try to explain this topic in more detail. It usually helps to start the conversation referring to Jason Ouellete’s “Development with the Force.com Platform” book where he illustrates these layers of security as a funnel. Each request has to go through several layers starting with CRUD and FLS checks and then moving to verifying org-wide default sharing model and any exceptions to org-wide sharing model if applicable. If the request “survives” through all of these checks then access is granted. This funnel provides a great way to illustrate how data security works at a high level but it still doesn't explain all the nuts and bolts involved with sharing rules and how to enforce these levels of security w