This can be tricky, depending on your requirements. I have a similar situation, where I needed members of a certain Role to see some requests and incidents, but not all (for example, they shouldn't see employee terminations, etc.)
I was able to get it where I needed by first limiting their view to Service Requests and Incidents in the Object Permissions of the Role. In the object permissions for ServiceReq , I used cases like 'Update and View where ServiceReq's TemplateName is equal to ....' and entered the request template name (or Subject). You can't do this with a bunch of 'and' statements in one case - they all have to be individual cases.
Then I added cases to the object permissions for Task.Assignment, such as 'Update and view where Task#Assignment's OwnerTeam is not equal to...' and enter the Teams where this role shouldn't be seeing their work. Again, if there are several, they have to be in their own cases.
It took a lot of trial and error in my STG environment to get it to work like I wanted. The trick is to figure out whether to configure cases for what they can see, or what they can't. Good luck!
I have to say I cheat at this, for example if we want members of a 3rd party supplier to see incidents I create a new role for the 3rd party supplier (<3rd Party supplier Name>Analyst)and add a new Boolean field on the incident object called <3rdPartySupplierName>HasAccess and initialise it to false. Use this new flag in the object permissions for incident (you should set your task access for the specific role/3rd party as well.
When a task is assigned to the 3rd party supplier I use a business rule to set the incident access flag to true granting them access to the incident record. Once the task has been completed the flag is removed along with access to the record. This is fairly simple to administer and very flexible as every 3rd party/role can have their own layouts, forms etc. and each can be changed without disturbing the other roles/user functions.
I have yet to find a really clean way of granting access to incident records from a task record. It would be nice if the object permissions allowed all incident relationships to be effective in the same way a saved search does.
If anyone has a nice way of doing this please share.
Yes, you're on the right track. When you click that '+' icon, you can 'add a new case' and choose the options you want. It can be confusing, because there are 733 different objects that you can set permissions on. In addition to the 'cases', you can also set the checkbox options on the list:
Here's an example of how I set permissions on the ServiceReq object for a Role:
And here is part of the perms on Task.Assignment. I should note that if all the settings are 'is not equal to', then you can group them in one case: