The recommended practice is to start a project with setting up the configuration following business role and a customer business role and assign these roles to the usersroles and assigning them to individual users. Assigning user groups or user roles directly to the user should be avoided since it is a lot more difficult to maintain and keep overview for large number of users after go-live.
These are the typical roles that projects have:
System Admins (= “all roles”) – For configuration engineers and customer system admins .
Price Analyst (for Price Setting) or Sales (for Quoting) – For users who initiate the price/discount changes.
Pricing Manager or Sales Manager – For users who typically approve prices/discounts and have access to dashboards.
This will help you test and finetune security from the very beginning and avoid cleaning permissions before user acceptance testing.