Record Security
Record Security is used to determine which Teams and/or Users can see which Records within a Record Type. If a user is accounted for in one of the rules then the only items that user can see are those that match their respective settings. If a user is not accounted for by the rules then they will be able to see all record in the Record Type.
To setup Record Security, add a new security rule for the field(s) on which you wish to limit access. For instance, if you want to make sure that a certain team only has rights to see invoices from the ACME company then you might add a rule for the VendorName field.
Next, enter the value(s) that you want to make sure the can see in the Value From field. In the example above that would be "ACME". If you had a range you wish to limit on (dollar amount, date, etc) you can use the Value From and Value To fields to provide the range. NOTE: You can use server or user variables in these fields but not Record, Document or Workflow variables because they are not available until AFTER a Record has been found - not before.
Lastly you will want to select who is limited by this rule.You can select users, teams or a combination of both. Anyone selected or anyone in the teams selected will only be able to see records that match this rule. Use the ALL USERS team to apply the logic to everyone. You can also specify to apply the security for anyone NOT in a team - which is handy for certain applications such as AP where anyone NOT in the Accounting team can only see invoices for their own department.
Multiple Possible Values
An advanced usage of this feature is to compare a field value with a list of possible matches. You can do this by setting the Value From setting to a list delimited by | (pipe) symbols. For instance, you could set a security rule where an invoice is only visible if the Department field is set to "HR", "Admin", "Warehouse" or "Other". Just set the Field Name to "Department" and Field Value to "HR|Admin|Warehouse|Other".
Team Security
You can combine the Multiple Possible Values method above with the variable called USERTEAMS to secure a record based on team membership. [USERTEAMS()] will return a pipe-delimited list of all the team names in which the current user is a member. If you use this for the Field Value setting then if any of that user's team names match the field value then they will have access.
AND vs OR Logic
If a user matches more than one Record Security rule, then the rules are applied by default using OR logic. This means if a Record matches ANY of the rules then the user is allowed access. The opposite logic uses the Exclusive setting which converts that rule to use AND logic. If the Exclusive switch is set and the user is affected by this rule then that rule MUST be matched in order to see the Record.
As an example, if you have one rule that affects a user that says they can only see Records where Vendor=ACME (exclusive) and another that says they can only see where PAID=NO (exclusive) then the user can see all ACME records where PAID=NO. If both of the rules are NOT exclusive then the user will see all records where Vendor=ACME OR Paid=NO. Which means they may see Records from other vendors where PAID=NO and could also see PAID=Yes records for ACME.
Best Practice Use
The AND and OR logic can typically be used inside of a single rule. You can have one rule that says the user is limited to ACME and PAID. This is normally the preferred method. You should only add extra rules if you cannot embed all the logic into one rule. Also, try to minimize the number of rules that affect a single user or team. Not only is it more complicated to deal with but the more rules a user is affected by, the slower their searching will be.