It's clear that using SUPER permissions for everyone in a company is not ideal for good security, so we should be working with our customers to determine the best way to set up security for their needs. This in practice seems more tedious and time consuming than needed, often not knowing exactly which processes a user may have until they actually test the system.

A couple user groups for example:

Group A: Cannot edit journal entries, but can post

Group B: Can create/edit/delete journal entries, but cannot post; can post bank recs

Group C: Admin User without Third Party- ISV User Setup tables, cannot create/modify/delete journal entries

The most efficient idea is to record the process someone would go through; however this often adds the permission for things a user should not have - recording posting permissions often allows insert/modify/delete for the entry page, but there are so many individual permissions, there's no way to tell exactly which one does what, so "effective permissions" on a user card, are only helpful if the user is in the system and runs across a specific permission error.

Sometimes, attempting to remove permission of one process will remove the access to another process elsewhere in the system, but I'm only able to find out when a user inevitably comes across an error, telling me which permission to add.

Every organization deserves granular permissions, and conceptually they are not that difficult, but when you include a third party ISV extension, along with multiple companies/environments, it quickly becomes overwhelming.

There's no way for me to tell which users are able to accomplish which processes until they've tested everything. After implementation, we receive daily emails that a user cannot complete an important task as they don't have permissions.