The recommended practice is to start a project with a configuration business role and a customer business role and assign the business roles to the users (instead of assigning user roles individually).
This will help you test and finetune the security from the very beginning and avoid cleaning permissions before UAT.