Best practice when using a system that has multiple levels of permissions or roles, is to use the account with the least amount of privileges to perform the action required.

You see this in Windows and Apple OSX machines by default now where you have a regular user account, and then when you want to perform an administrative function, you will get prompted for a password to temporarily gain higher privileges to perform that action.

For systems that you are building that don’t have this model built in, you will want to replicate it. Most of the times I will see the application be installed as an admin, and that is all. You should create a lower level user account that gives you most of the function you need outside of administrative functions, and use this account the majority of the time.