Best Practices for Permissions

Create groups to facilitate analytics tracking or to manage access to different areas of the site: Avoid changing permissions at the individual basis, as there is no easy auditing, as there is with groups.
Limit membership in Super User and Network Administrator groups: Create new groups with permissions needed for employees and others, as required.
Make changes with limited scope: Avoid over-revoking or granting on a site-wide level, that you must then reverse on multiple spaces. Change only the permissions that need to differ on those spaces that differ from the default user permission. This can also apply to parent/child space relationships.
SSO's can support group mapping (especially LDAP & SAML): Use these to automatically place users in the appropriate groups and manage revoking their access if they leave the company and are removed from SSO.
Audit Moderator, Super User and Network Administrator groups: Audit quarterly or at least annually to remove users who have left the company and no longer require access. You may also need to remove them from employee or other specialty groups or suspend/deactivate them.