...
1. User X can use Artifact Y for anything that artifacts artifact supports and on any data (where "artifact" is a screen, web page, part of a screen or page, service, general logic, etc). Details
2. User X can use Artifact Y only for records determined by Constraint Z. Details
3. User X can use any artifact for records determined by Constraint Z. Details
4. Artifact Y can be used by any user for any purpose it supports. Details
5. Artifact Y can be used by any user for only for records determined by Constraint Z. Details
6. User X can use any artifact for any record (ie superuser). Details
NOTE DEJ 20090514: the Proposed Implementation Details above currently does not support #3, but supports all others pretty well.