I'm coming from an organization with over 7,500 unique users in production. The way we handle our security is by assigning the users one of five system users (we have 11 db users in the F98OWPU, 2 of which are for QA purposes only, DEV is a separate installation with its own system tables.)
The five system users are either production user, production HR user, production report writer, production HR report writer and auditor (read-only in every important way).
The other users are dedicated to Point Solutions (it really does make it a bit easier to filter using unique DB users in tools like Oracle Enterprise Manager), JDE and a copy of JDE with somewhat reduced privileges, JDEUSER.