This discussion did not seem to take off. So I am giving another push.
Have the rights assignment initiation delegated.
Use a form which the manager sends in and which specifies the organizational unit, the duties that require rights and timeframe.
Grant rights only once.
Depending on your security model a user may get the same rights different ways like belonging to an OBS unit, being a member of a group, automatically, directly.
Though it is a lot of work cleaning the accesses so that you only get a right once will affect performance, because on every page the rights are checked first and the the more assignment of rights there are the longer it may take.
It is also easier to establish who can do what if there are less assignment of rights.
Remove access rights when they are no longer needed.
One reason is as above the performance.
The second reason is that the rights are the thing that determine which licenses are required.
When removing the rights bear in mind that participants and collaboration managers also require licenses eventhough they are not in rights administration.
Remove the rights as soon as the user does not need them any more and as soon data related to the user's role affecting the rights is no longer needed for reporting. Eg some reports are based on Project Managers and removing the project manager assignment removes the data related to that user from such reports.
Give rights through groups
Giving rights through groups simplifies the rights administtration as it separates he management of the rights and management of who has them.
Use groups at leats whenever two users have the same rights.
Rights from being a member of an OBS unit
This type right has very limited use as a user/resource can be associated with only one unit in each OBS type as opposed being a member of many groups each having various rights to several instances associated with differen units in the same OBS.
Use this type of rights assignment only in a very general way eg. a user associated with any unit in an OBS type.