I agree with BradCathey. I cannot allow my users to have a login to my server or database. Because then any of them can connect directly and bypass the logic in the middle (services) tier.
So I end up with a "service user" that can do any read write action on the Database. And then my middle tier handles the security.
It would be nice if there was a way to get this closer to the database.