Hello

i want to create a new role in my org for an accountant, i'm wondering what permissions should this employee have, especially if they were from outside my organization. i want them to only access modules and data an accountant is supposed to access nothing more. also are there any security/privacy practices i must be aware of when dealing with this role? 

thanks