Yes, understanding the nuances for RDMS security models can be difficult. Really, most DBAs don't know as much as we should. Everything from contained users, ownership chaining, nested domain groups, etc.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho