Yeah, things get messy, no matter what model you choose for securing your PROD data:
- Create one user and give it all rights to the database
- Create specific users and give them the least amount of rights to do what is must, and no more
- Somewhere in between the previous 2
Truly, #3 is generally the answer. Let’s say that you give the application all the rights that any user of the system can have, and let the application dole out the rights to individuals. This is not a terrible plan, but I dare say that many databases contain data, or utilities that it is not desirable to give to the users. (My utility schema generally has tools to maintain and release code, something that you don’t want general users to have access to. And lest you have a developer working “with” you like I once did, you don’t want the application to have access to the tools to disable all of the constraints in the database, even if you have ETL uses for that code.)
Check it out for some examples.