After struggling with user-based security we've transitioned to proc-based security. This works well when the schema of the proc and tables are the same -- except in cases of dynamic sql, and for that we've been using "execute as owner".

To simplify matters we have also switched to keeping everything in the dbo schema.