D365 CE Security Model - let users be able to access tickets owned by self, their team and it's team members

Question

I want to define a security model in the CRM Service module (I am using private queues & Owner teams), where users can access cases/tickets assigned to
1.) self,
2.) Owned by the team itself where they are part of
3.) Owned by team members, who are part of teams where I am also a team member.

Out-of-Box, only user level or BU level permissions can be defined.

User-level security let users access all the tickets (cases) assigned to self and owned by teams. Business Unit level security model lets users access all the tickets owned by all the users in that BU, irrespective of their team-membership.

How we can solve such a security model?

Answer 1

Answer Edited after further analysis:

If you want to keep the owning user intact, you should be using Object based security model by calling GrantAccessRequest whenever a ticket is created. You should query the teams the ticket owner is part of & share with all those teams. This is like UI record sharing to a team but from a plugin instead. POA size will grow relatively. (This will take care of Tickets 1,2,3,4 and 5)

Also User2 will get access for Tickets 4 & 5 only.

Security role should have user level Read/Edit access. Same role has to be assigned for Team as well. (This will take care of Tickets 1,2 and 3 + skip Tickets 6 and 7)

I would not recommend the rabbit hole Access teams approach for this scenario unless needed.