Is RBAC best practice?
It is solid. Companies can easily control users' access based on their roles. It improves operational performance. Thanks to RBAC many transactions are automated, and employees don't waste time using the applications and services that are not needed for fulfilling their responsibilities.
What is the best practice when creating users and assigning roles?
whats the best practice to provision user roles --> Roles should always be assigned to groups rather than individual users. Also, even if users are not getting created manually, ensure the roles/group granted is done manually. This ensures control over licenses.