Consider this scenario:
You create a base role that you assign to your users that contains business unit read access to core entities, and assign this role to all of your users. Good idea! You must have read tip 2.
You then decide to give the same role to a few teams, because the teams could also own some records, and your base role contains the permissions that they need. You then add the user with the base role to the team with the same base role.
The problem is, when a user and team have the exact same security role, unpredictable results can occur. On multiple situations, I have seen the user not see the records owned by the team when he or she has the same security role as the team has.
Solution: create a copy of the base role called “Team base role” and assign this role to the teams.