I just had one of those WTF-moments.
I needed a separate security role for people so they could clean up accounts & contacts in CRM 2011. As a result, they needed merge capabilities.
There is a separate privilege for that under the Business Management tab of a security role, obviously called merge.
So I gave the role, read, write, append and append to permissions, besides the merge privilege.
This seemed logical and with it, the user is able to view the account/contact and call up the merge UI.
Up until the point you actually want to do the merge. There you get the nice exception that you don’t have enough permissions to do so.
After some digging around in the trace-logs, it seems you also need the Share privilege on the entity you want to merge.
This absolutely makes no sense, since sharing is used for giving a user permissions on a record to record basis.