Make use of out of box wherever applicable instead of creating custom SAV roles
The ROLE_ADMIN should be assigned to very limited user and should not be used users for their day to day application support tasks.
The ROLE_ADMIN has special access which overrides the any other access designed in other SAV roles. For example ROLE_ADMIN will have access to edit any connection irrespective of SAV role configured at connector level.
The ROLE_ADMIN should never be assigned to non-person users (for example service account used to call Saviynt APIs)
Leverage Out of the Box SAV as per the end user function/role
Custom SAV Roles
The custom SAV roles must be created with least privilege both in terms of access on home page and access to Saviynt features
The "Read Only" mark the SAV role as special access where users assigned to this role will get rad only access to all Saviynt modules except ARS. The read only SAV role overrides access assigned via any other SAV role to the user.
Design your SAV role in an access incremental manner so that multiple SAV roles should not have common/redundant access
As part of creating a user then at minimum end user SAV role (least privilege) needs to be assigned for user to access Saviynt application. Without any SAV role, user can not access Saviynt.
The API service account SAV role should have any access to login interactively to Saviynt application - it should be limited to only web services.
After making any changes to SAV role always click on "Refresh Access Changes" button to flush the old access cache and new changes to take effect.
Key Benefit (Quantitative/qualitative)
Sav Role is meant to provide better governance to Saviynt application objects so all SAV roles should be designed with least privilege.