Unanswered: Opinion Requested on Developer Permissions
We are trying to restrict developer permissions in our development environment. One thought is to add developers to db_datareader, db_datawriter, db_ddladmin, db_securityadmin and then revoke various permissions from ddladmin and securityadmin. The goal is to allow developer to create stored procedures and assign permissions to the stored procedures.
Another option is to place all developers in the same role and ask them to create all procedures using that role name (ex: dev_role.sp_procedurename). By doing this each developer will be able to run stored procedures created by another developer. The down side is the permissions do not match Model Office/User Test and Production.
We have the same thing here as Brett does there. Developers get added to the db_owners group in development, and are barred from using anything but the application logins in QA and prod (too hard to police, anyway). No one ever gets sysadmin on anything (and oh, how they ask).