If you want to comply with the principle of Least Privilege, then you should start by talking with business.

I usually take the time to talk with business about their business roles, and what they do.

This I use to make a logical model, and when we agree on the functionality and the principles then I can make a physical model.

It is very important if you work in a high-security organisation to know the demands of security and audit.

With a physical model, that is acceptepted by business, I can implement roles by AD-groups and user defined database- or server-roles. I do not use the default roles, as they do not comply with the principle of Least Privilege.

The roles I usually named by their function, which helps business, operations and service disk in the daily administration.

This is a huge task, but you will get new and unique knowledge about the business. In the long run your work will pay off.