Properly configuring permission groups

Hello everyone,

We're well underway with our Quest implementation and one of the things we're working on at the moment is tweaking our IT-Shop and ensuring the permissions / permission groups are set the way we want them to.

We've got several database extensions and for some of these records people should be able to edit (or view) their own data through fields in the IT-shop.

For other fields certain managers should be able to view or edit their employee data. In short, we figured it was time to dive into permission groups to get this all set up.

At present we've got a permission group that gives view / edit rights on the requiered fields and we've made them visible in the IT-shop. As such when someone logs in and goes to the proper tab they're able to change the requiered data fields without any issues. In short we had our first succes as the functional demands are met .

At the moment we've done this by ensuring the role granted at login grants view / edit permissions to the database tables.

However security is obviously a concern as well and we want to ensure that people can only modify their own data fields (and not those of others). We're looking at what we should use for this and the permissions filter (With view conditions / insert conditions) looks like a possibility.

However as the manual doesn't clearly state what the permissions filters are for we thought it best to throw our question out into the community with the following questions;

-Are we correct in our assumption that the way we've set it up now (without viewing conditions / edit conditions but with view / edit permissions) someone gets the privilige to edit ALL records in the associated database (Whether they can reach the records to edit them is another matter of course. We feel the authorisation shouldn't be there).

-Would the query ( uid_person  =  '%UserUID%' ) for viewing conditions and edit conditions alleviate our fears in that it grants the user priviliges on the datafields only for his own account?

-Is there any more extensive manual / best practice on how to set up the permission groups other then the limited data found in the 'standard' quest manuals?