...
- Ask Salesforce to enable the setting for admins to login as any users http://help.salesforce.com/apex/HTViewSolution?id=000089838&language=en_US
- Decide on your groups of users, their hierarchy and what data they should see.
- Clone existing profiles - only do as few as needed - focus on the tab and app permissions and basic object permissions. Specific object and field permissions can be done via Permission Sets.
- Set up the Role Hierarchy
- Set up Organizational Wide Defaults - usually Private on the main objects such as Accounts, Leads etc unless everyone in the org should see and edit everything.
- Create Sharing Settings
- Create the Users
- Test Test Test
Annoyances
- Why oh why does a new developer org need 35 profiles? Why does a new developer have custom profiles? (at least I can delete them).
Dicing
Field Level Security
...