Best practice question - how many roles do you have? We use OneWorld and currently have over 70 active roles, most of which are custom one. That's down by about 10 that I insisted on inactivating. I'm currently working to see if we can consolidate and inactivate more just because it seems like it would be a good thing to do and an easy win. I think a lot of our custom roles were created back in 2015 when we implemented in order to deal with giving our various subsidiaries access for only their country, but I don't necessarily think that's necessary any more since the role permissions with subsidiaries have changed a lot in the last couple of releases.

This is a bit of a loaded question. - there's way more nuance needed here than can be easily/quickly addressed.

Roles always seem to be a technical debt thing that add up over time, the biggest problem I find with deactivating them is losing custom dashboards and things people have put onto some role you want to get rid of.

Every organization is going to be different. Do you have SOX segregation of duty concerns? Do you have a lot of workflows/scripts that touch roles? Can people with different job titles use the same role because there's only minor differences between them?

All good points. We have A LOT of roles with just 1-2 users that login using that role 1-2x/year. And those users also have other roles. Not a lot of customizations specific to any roles that I'm aware of. These are all very helpful considerations. I think my original thought of just targeting those roles that are barely used is probably the best way to go about this and for now to leave the other custom roles alone. I think after cleaning up those roles, I'll spend my time figuring out why some users have access to global roles when they should only be able to access their country's own information/roles instead of consolidating roles. That's probably a better use of my time and better overall practice. Thank you!

You can always inactivate the role and see if anyone notices, haha