similar we revolve.
And in your example I do not see as it through roles of applications implemented partite access (columns/lines).
Probably because you not the developer, it is difficult to you to understand and realize, as it is possible to do such things, at application level as depending on a role, group and other security attributes of the user to resolve access to separate API, to sampling conditions, attributes of the data at creation of requests and performance of changing operations.
1) so do everything because MelkoSoft "told". I.e. it is real for today.
It generally to MS does not concern. Security management of users for application servers already is carried out for a long time on level of applications. It already was 10 years ago so, and for and remaining systems.
Control of the rights of users through the DB console, is a huge hole in safety, it is very difficult for accompanying, controlling and supervising. Especially it is not floppy.
Unique case when it can be really pertinent, in the presence of client applications which walk in a DB directly. There other variants also are not present, except as safety on grants and through layer .
But even in case of client applications, do API, and adequate safety at level of application on the basis of various mechanisms (role-based, claim-based, etc.)
Here put generally never in , it is a question of a practicality and possibility to solve challenging tasks.
2) access control to the data is transferred far away from data source, from a level DB on level API. (That logically reduces safety, "than further subjects to supervise") worse. Probably in any cases it is defensible. Perhaps something facilitates (though to me difficult to present that).
Very much the other way, data source and means of performance of operations for clients is API, accordingly safety should dare there. What problems with safety you see? I do not see, and not only I.
Access control of users too should be hidden behind a layer of the same safety. For example, roles distribute the rights within the limits of the powers. How you are going to solve it at DB level?
Access control of users is carried out also through application () how you will solve it at DB level?
Delegation of powers how to solve at DB level?
Etc., etc. it is possible to continue very long.
3) access now those who API (system administrators or developers, depends on office)
Naturally. I can difficult present myself a situation when the chief of department asks to control the rights for the subordinates within the limits of the powers, and to it tell, it is technically impossible, as it becomes through the DB console, and for this purpose it is necessary to possess qualification.
Qualification that I can go on to tick off, whether it is possible for Vase to edit documents? Scoff?