The recommended practice is to start a project with the a configuration business role and a customer business role and assign the business roles to the users (instead of assigning user roles individually). It
This will help you to test and tune finetune the security from the very beginning and avoid cleaning permissions before UAT.