Agreed all round. We've been using this model for some years years now and it has made a world of difference.
It's a moot point - but how many DBA's out there are in a position where they have a say in what authentication models get used?
I am surprised by the number of of client's DBA's who are held responsible for the integrity of the databases under their jurisdiction - whilst at the same time have absolutely no say in the security/access models used by developers.
Have other folks out there found this to be a problem?