Hi Louis,
Per my knowledge base, authorization check with PFCG roles seems to be to correct approach.
The data in CRM, I think you may mainly refer to CRM Business Transactions (e.g. sales/service order), Business Partner, and Product.
For business transactions, you can set up organizational units level authorization check, the detailed information can be found in http://help.sap.com/saphelp_crm70/helpdata/en/48/a44236ceb873e8e10000000a42189b/frameset.htm
For BP, you can use the authorization object CRM_BP_SA, it is used to control the display of BP sales area data.
For product, the authorization objects are COM_PRD and COM_PRD_CT.
Best regards,
Maggie