Seconding the suggestion of the permission recorder. We upgraded from 2009 to 2018 last year, and I quickly realized that in many cases it was easier to record a new permission set, rather than attempt to add all of the new objects or functionality manually. Role Centers/Profiles for example. Just opening NAV can set off numerous permission errors due to the tiles/activities/reports in the Role Center. And I found it much easier to just record a permission set for that Profile. Otherwise, you will solve one error, test again, solve another error, over and over and over, going crazy in the process.
If you are early enough in the upgrade process, I strongly recommend mapping out a general plan ahead of time, then proceeding with recording new permission sets by task, and then grouping those into User Groups by role. Similar to what Lewis suggested, we created a BASIC permission set that included the objects everyone should have access to. Then I recorded sets for specific tasks (Invoice Sales Order, Create Purchase Order, etc.), and combined those into User Groups as needed.
Ideally, you will leave enough time to have your users to test their processes, for both functional issues AND permission issues at the same time. It can be tough to focus on permissions, if you have other functional or setup issues to test and resolve. But for us the concern was…if we didnt update our permissions during the upgrade process, I wasn't sure if/when we would ever get back to it.
If you've found this thread useful, dive deeper into User Group community content by role