Production Security vs. User SSO

I am in the process of putting my app into production and I have set up all my security by 2 user roles:  Admin User   How do I set up the read/write for a record based on the following:  User can only “Read” a record unless they were the one to create the record in which case they can read, write and delete. 
1 answers

1. Set in the entity property createdBy to true

2. Add 2 access rules for same module role

3. First rule read access only

4. Second rule read, write and delete with xpath constraint with path to owner