Sitecore recommended practices for security (users and roles):
- Break inheritance rather than explicitly deny access rights.
- Apply security to roles rather than users.
- Limit access to the parts of the content tree that are relevant to the user that is logged into the system.
- Limit access to the ribbon items by disabling features that are not relevant to individual users.
- No users should have empty or obvious passwords.
- Use the profile setting of the user properties to specify that a user should always use a certain interface no matter what interface they select in the login screen.
- Make sure that users belong to only the required Sitecore Client roles.
- Administrator user accounts should only be used to perform administrator tasks (mainly unlocking other user’s items)