question

I would normally use both. Database roles for the types of thing that need to be undertaken in the database, AD groups to assign users to them, again based on job need. A factor here is that AD groups are often maintained outside of the DB sphere - this may be a pro or a con depending on your viewpoint, but usually means that when people change jobs, their permissions can be easily updated by virtue of group memberships. Database roles travel with the database. So in TEST and DEV environments, I want one set of users to have a given role, but it's probably very different in PROD environments - better to keep the database the same (including roles) and simply assign permissions to the role by giving users membership of an AD group. Database roles can also be source controlled - so you can ensure that permissions can be tested, and approved, with the application - leaving only who has those permissions as the variable factor. AD groups are a convenient way of giving those roles to a set of people based on a job need - for example "Salespeople" need the ability to write to the [SalesOrders] table, but not the [Salaries] table, however the people that make up "SalesPeople" will change from Dev to PROD, and for one region to another (if I have separate applications). So create SalesPeople as a databaserole, and assign permissions to an AD group (or groups) per server, then assign users to the groups. As the users' role in the business changes, move the user in or out of the AD groups, and the rest of the permissions follow. What I particularly like about this approach is that applications can read AD groups, so for instance I can get the web server delivering the application to check that the user is a member of that AD group too. my 2p.