The recommended practice is to start a project with setting up the following business roles and assigning them to individual users. Assigning user groups or user roles directly to the user should be avoided since it is a lot more difficult to maintain and keep overview for large number of users after go-live.
These are the typical roles that projects have:
-
System Admins (= “all roles”) – For configuration engineers and customer system admins .
-
Price Analyst (for Price Setting) or Sales (for Quoting) – For users who initiate the price/discount changes.
-
Pricing Manager or Sales Manager – For users who typically approve prices/discounts and have access to dashboards.
This will help you test and finetune security from the very beginning and avoid cleaning permissions before user acceptance testing.