Note that the pictures below are straw-man works in progress (TODO)

OPINION: Normally we would expect someone in the team that owns a particular application schema/database to Grant access to others (assuming security isn't handled wholly in the application tier) i.e. (taking inspiration from another fridge based analogy of Brent Ozar's) DBAs give you a shelf (database/schema) in a fridge (database instance), developers put empty containers (tables) in that fridge, end users put food in, take food out, and otherwise manipulate food (data) in the containers... developers (acting on behalf of the service owners) control who can do things to the food in the containers (through Granting/Revoking Roles and Privileges) and how (through the application code)... we (DBAs) can do all the things to the containers that developers can do and more... but just because we can give other people access to the food in your containers, doesn't mean we should ("hey, do you fancy some of this caviar?, yeah I know it's Ian's, but I can bypass the security he put on it...")

So, we (DBAs) can Grant access to these tables, but so can the schema owner. We (DBAs) probably shouldn't make those Grants because it's not our data to share.

How many DBAs

Bibliography