"Access rights" are very flexible and can be very simple or very complicated depending on how you set up your system - you might do something seemingly very simple which has a big impact across the system (eg granting GLOBAL rights to users).
Generally the system is very restrictive ; it only lets users see things that they should do (i.e. the "record owner" in your terminology). Its not until YOU start granting extra rights will it start to get complicated.
Rights can be granted over an INSTANCE (i.e. record) level, at an OBS (i.e. organizational structure) level, or a GLOBAL level.
Rights can be granted to INSTANCES (i.e. specific users), to OBS (i.e. resources who belong to an OBS) or to GROUPS of users.
It is vital that you understand how rights work before you start granting them.