My recommendation on how to manage permissions goes like this:
- Create Database with appropriate Schemas – like HR/Finance (or) Staging/ETL etc
- Create objects like tables and views inside the appropriate Schemas
- Create database roles such as db_finance_admin_role, db_developer_role, db_ddl_deployer_role etc
- Grant permissions at the Schema level to database roles as shown in the example above
- Create AD groups (instead of individual logins) like Finance_DB_Admins, IT_Developers etc
- Grant database role membership to AD groups instead of individual logins – EXEC sp_addrolemember N’db_developer_role’, N’IT_Developers’
Doing it this way allows you to separate the concerns. For example the db_developer_role can be granted more or less permissions and all the groups granted that role will automatically get that. Also, you are free to use the AD groups across instances in multiple databases with different permissions.
Click through for more details, including how to get to separate schemas from an all-dbo database.