Every site will be different and have a different requirements for roles, so this article will be focused on providing a baseline for a generic site.

Required Roles

There are 3 roles and 1 user that required for every Drupal site. The 1 required user is the root user, USER1. This is the user that is created during the sites first setup. 

The first required role is the admin role, that has access to every permission available and is not able to deleted or have any permissions removed. The second required is the Anonymous role, this is all visitors to the website that are not signed in. And the third required role is the Authenticated role, for anyone that has a user account on the website and is signed in.

Recommended Initial Setup

1. Create admin user (or two, or three, etc) with User1
2. Sign out of User1 and sign in with the newly created admin user
3. Block/disable User1
4. Install a permissions checking contrib module:
   1. fpa
   2. permissions_dragcheck
   3. speedboxes
   4. filter_perms
5. Create site-builder role
6. Give all permissions to site-builder role
7. Create user with site-builder role
8. Sign out of admin user and sign in with site-builder user
9. Create the rest of the roles required

Why the site builder role?

There are two good reasons to create a separate admin role that is not the default admin role. First, is that this allows you turn off permissions that a site builder does not want. Like accessibility checks for example. The second reason is that it forces you to check and read all new permissions from newly installed modules or newly created entities. While tedious due to the large amount of permissions Drupal comes with, it's good practice to check and read all new permissions and make sure they are applied to the correct roles.

The other recommend roles

The next two roles are recommend to round out the baseline of roles that is recommned. First is the content role. This is for the person who is going to be adding content to the website. Finally is the user role. This will be for regular users to the website. This will give the site builder control of the permissions given to a regular user, rather then using the authenicated role which would apply for every signed in user rather then targeting only the regular users.

Other roles

Editor. Together with content moderation core module, used to approve the content to be published

Moderator. Looks over user, can modify profiles, change emails, assign roles, etc.

Verified. User that passes a check, allows them to comment or perform some action on the website.