There appears to be a lack of clear understanding around the differences between CRUD, FLS and Sharing. Here's a high-level overview:
Think about your Force.com object as a database table.
- CRUD: is the table level permission. Does the user have access to this table? (Create records in the table, Read records in the table, Update records in the table, and Delete records in the table)
- Field Level Security (FLS): is a more granular column permission. For each column you can set permissions. Does the user have access to this column and what kind of access? Invisible, Visible Read-Only, Visible Read & Write.
- Sharing: is a unique concept – even if a user has some of the CRUD permissions to this table, and some sort of FLS permissions to some of the table’s columns; are users allowed to Read/Write records created by other users? In addition to the basic sharing that says share or don’t share with other users, there are advanced sharing rules that can allow automatic sharing rules to apply to records of your table. These advanced sharing rules can say for example: any user in the hierarchy of managers above a user can read the users' records.
Hope this helps.