If you used your last idea of creating separate users and assigning separate rights per stored procedure and such to individual users it would be a nightmare to keep track...