What you describe is what I favor
The problem here is that there is per-user security at the DB level, and there is per-user security at the application level, and there is role-based security (via AD groups) at the application level, and there is role-based security (via AD groups) at the server level, and there is user-based security (via AD permissions) at the server level. And which combination of the above is required for a given application depends on who implemented it and when.
===
Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]