One of the coolest features of Microsoft Dynamics CRM is the slicing and dicing you can do with security roles. It is also one of the more complex features of the software.
Microsoft uses the concept of a Business Unit as a core security feature. I often explain business units as a rock wall divider within any given database, but given that Microsoft allows for a tree factor this is not necessarily a black and white rule.
The reason I emphasis "rock wall" is because once you create a business unit it becomes difficult to share data across business units without a more complex design. For those firms who do not have complex security needs I recommend keeping business units to a minimum. They are easy to abuse and can create some long term pain.