The recommended practice is to start a project with setting up the configuration following business role and a customer business role and assign the business roles to the users instead of assigning user roles individually. It will help you to test and tune the security from the very beginningroles and assigning them to individual users. Assigning user groups or user roles directly to the user should be avoided since it is a lot more difficult to maintain and keep overview for large number of users after go-live.
These are the typical roles that projects have:
System Admins (= “all roles”) – For configuration engineers and customer system admins .
Price Analyst (for Price Setting) or Sales (for Quoting) – For users who initiate the price/discount changes.
Pricing Manager or Sales Manager – For users who typically approve prices/discounts and have access to dashboards.
This will help you test and finetune security from the very beginning and avoid cleaning permissions before user acceptance testing.