There is a requirement that users in China cannot see user records in their country as well as different country user record. Is my approach the right way to apply the permission on Business unit level. i.e I created two set of Business Units under root BU. 1) China BU and 2) Other BU. Added China users under ChinaBU.
Next, I created two custom role (ChinaUsersRole and OtherUsersRole). For users from China I configured Security role salesperson and ChinaUsersRole.
Inside the security role ChinaUsersRole, for each of my required entities (leads, contacts, opportunities, accounts, cases etc.) for the Read permission I have given Parent-Child BU. Does that makes sense or any other approach to be taken into consideration.
