Scenario
We have several subsidiaries, within these subsidiaries we have different user groups. Our associates may see data from the other user groups within their own subsidiary, the company card for the subsidiaries (defined as owner companies in SOAdmin and who own associates) and some other companies that should be global information. But, the different subsidiaries are strictly not allowed to see or edit data owned by associates from their sister companies. How do we accomplish this?
Possible solution
This example have subsidiaries in United Kingdom and Germany, the main office is called Role example - central. All these are owner companies, and may own associates.
First - you'll need different user groups for each subsidiary, and then one user group for the information that should be visible for everyone (Global). We also add to Global XX groups that will be used to give the subsidiary access to the global information.
You may off course define several roles, in this example we have used two, one for users who should only be able to edit his own data and read all other data for available for the subsidiary. The other for the local administrator, who should also be able to edit all data visible for the subsidiary.
The users are given all the other local groups as "Other groups", meaning all users from the subsidiary in United Kingdom, get the other United Kingdom user groups as other groups. The role called Global is the same as User level 0, full access to all data.
Each user get the Primary group for the country, and other group is Global COUNTRY
Then you need a global user (note: this "user" does not even need login rights, here we use him as a global administrator as well), and this user get all the Global Country user groups as other groups, that way his data will be visible for all who have these Global Country user groups, but the users in Germany and UK will not share any user groups and therefor they will not see each others data.
All data that should be visible for all users should now be "given" to the Global user. For company cards, this means you set the Our contact = Global user
This data will now be available for all user groups since his data is part of all Global Country groups due to the other groups membership
Now, when logged in as Global, you will see all data in the database. 
And by the Global users Other groups memberships, this users data is now part of the other users primary group.
Overview of the user, groups and roles
|
User
|
Primary Group
|
Other Groups
|
Role
|
|
Global
|
Global
|
GlobalUK, GlobalGermany
|
Global
|
|
UK Admin
|
UK
|
GlobalUK
|
Admin
|
|
UK user
|
UK
|
GlobalUK
|
User
|
|
German Admin
|
Germany
|
GlobalGermany
|
Admin
|
|
German user
|
Germany
|
GlobalGermany
|
User
|
Note that we do not have just one other group that all users share, since this would mean they all have a user group in common and thus all would see all data (if I can see you, you can see me)
Roles
|
Role
|
Mine
|
Primary
|
Other groups
|
Other associates
|
|
User
|
FULL
|
Read
|
Read
|
None
|
|
Admin
|
FULL
|
FULL
|
Read
|
None
|
|
Global
|
FULL
|
FULL
|
FULL
|
FULL
|
In this set up:
UK user has same primary group as UK Admin – and can as a "user" read UK admin's data.
UK user has no groups in common as German user – and cannot see German user's data.
UKAdmin has same primary group as UK user– and as "admin" can edit UK user'sdata.
UKAdmin has no groups in common with German user– and cannot see German user's data.
UKAdmin has GlobalUK in common with Global as other group – and as a “Admin” can read Global’s data.
Global has full access to everyone’s data.