A common issue I see on Drupal projects is how the user roles and permissions have been configured.
They are usually set up correctly to begin with, with users given the correct roles with only the permissions they need to perform their required tasks.
But, at some point, something doesn't work or a user needs access to something new.
Rather than assign them a new role, the user is commonly given a role that gives them access to too much - usually an Administrator role that lets them access anything in the Drupal admin UI.
As well as introducing security risks, when a user has access to all the settings, they will use them and it is very difficult to review and change user roles and permissions once they have been assigned without causing disruption.
It may be tempting, particularly if there is pressure or deadlines, but avoid giving roles and permissions they don't need.
Once they are given, they are hard to take away.
