Customers that plan to go with Std D365 Security roles find that apart from providing operational access to the areas of work, security roles are providing access to modify config (setup). Where customers don't want to go for Openness policy and want to have governance on config changes - the Std D365 F&SCM roles do not work and enforces customers to go down custom security roles.

Security Roles can be tightened further with only operational access. Example:

Accounting Manager Role has access to 'Maintain Product Type' duty and 'Maintain Chart of Accounts master' duty.