We started by creating a base role that gives users basic access to the platform. The base role, for example, gives users read access to business units, entities' schema, SDK messages, system forms, and so on. This role by itself does not give you access to anything else in the system, just blank access.
We then created a role to read accounts and contacts and finished off by creating a role that gives full write access to the accounts and contacts. Note how we left off Assign and Share, as these are special privileges that can be forked into their own security role.
The union of all three roles will give a user all privileges required to access the system and read/write to accounts and contacts:
We provided the privileges at a Parent: Child Business Units level. However, this can be done at any other level depending on your requirements. Refer to the introduction of this chapter to understand the different levels and some of their respective scenarios.