One of our six spaces includes 32 roles. We had to create so many roles to be able to restrict access for users (customers) that are working in different banks, offshore/onshore users etc, taking into account that some should have access to Defects module only and other to backlog/test/defects.
Besides 30 rules added on space level and up to 50 on workspace level (just for defects). Rules differs from workspace to workspace. It took much time to configure that and one can't keep it all in his head. It's very likely that not everything was configured in a proper way. Since we have SSO configured for Octane it's not easy to validate permissions assigned to user especially when several roles are applied.
Having instance with 2500+ users what we really need is permission helper that would run checks on what is allowed and what is not per user.
Alternatively (or additionally) it would be good to have possibility for workspace admins to emulate user's session.