Issue:

Lets say I have Campaign A created by user User1. Now when I login as CRM Admin and create a planning task and assign it to User2, User1 being owner of the Campaign gets complete access to this task although role of User1 has neither read nor write access to other people's tasks. When I check DB, inheritedaccessrightsmask for the object is set to non-zero value which should be for CRM Admin not for User2. In other words, although CRM Admin has reassigned this task to User2, its inheritedaccessrightsmask is not reset. If I login as User1 and create a task for User2, I immediately get access denied and task is created for User2 on which User1 has neither read nor write access.

Since workflows usually run as CRM Admin, it happens with all tasks and Campaign owners can play with approval tasks which is not good.

Resolution:

What we need to do is change the Cascading relationships on Campaigns / Accounts / Contacts / Custom Entities etc.  The issue is with the Reparent Cascade behavior.  The Reparent is actually what takes care of granting rights when a new child record is created, like a Task.  If the Reparent is set to Cascade All, when you create a new Task/Activity under a parent record (Account, Contact, Campaign etc), the Reparent rule grants the Owner of the parent record access to the child. So change it from Cascade All to Cascade User-Owned.