The problem here is that there is per-user security at the DB level, and there is per-user security at the application level, and there is role-based security (via AD groups) at the application level, and there is role-based security (via AD groups) at the server level, and there is user-based security (via AD permissions) at the server level. And which combination of the above is required for a given application depends on who implemented it and when.