Workflow Scope and Security in Microsoft Dynamics CRM

I'd built numerous Microsoft CRM Workflows since Microsoft CRM v1.0.  In my mind - Microsoft CRM Workflow would be the ideal design approach to use if it can meet the automation requirement.  During a recent Microsoft CRM System Administrator training, I had an opportunity to discuss about the Microsoft Workflow Scope and Security settings.  Here are the details:

Under the Microsoft Dynamics CRM Security Role, Customization tab, there is a "Workflow" entity to set security privileges on.  This setting controls the Workflow privileges for CRM Users assigned to this security role.  For example - if the user can only "Read" Workflow (1/4 filled circle) - then the user can only view Workflow(s) where the user is the "owner" of the Workflow(s).  This impacts the "On Demand" Workflows that are available to the user - the user can only manually run Workflow(s) that he or she can view.  From a security perspective, a Workflow record (Workflow Rule) behaves like any other CRM record.
 

What about "Automatic Workflows Scope"?  The funny thing is that this also behaves like a security setting - the scope setting is tied to the Workflow's owner.  For example - if the Automatic Workflow scope is "User" - only the CRM records owned by the Workflow's Owner will be triggered if it meets the Workflow's automatic condition.  If the setting is "Organization" - any CRM records could trigger the Workflow if they meet the Workflow's automatic condition.

The primary difference between an "On demand" setting vs. "Automatic" workflows is that "On demand" is performed by the CRM user that manually invoked the workflow vs. "Automatic" where it is the Workflow's Owner performing the action upon triggered.  Either way, the Microsoft CRM security privileges are enforced.