[SOLVED] How can I manage SQL permissions between development and production?

How can I manage SQL permissions between development and production?

I'm trying to set up a smooth deployment process where we can deploy to a production or development SQL server with a single deploy script.

But I don't know how best to manage users and permissions between the two environments. For example, in development we want the developers group to have the db_owner database role. On production we either want no access or just the datareader role.

I think the easiest way to do this would be to set up the users once on each server and then not keep them in the database project. But then they get dropped during deployment.

Is there some way I can do this using project configuration in Visual Studio?

We're using a complete Microsoft stack

Visual Studio 2010 database project
SQL Server 2008
TFS version control and build server
vsdbcmd for deployment

Solution

A couple of things make this easier:

Create meaningful role names in the database that encompass the permissions that a role should have. For instance "Development" or "Production Support". Assign permissions only to these roles and users to the roles
In your project, you presumably have different deployment configurations for your different environments. Since each configuration can use a different sqlcmdvars file, make an SQLCMD variable for your environment and put an appropriate value in for it (e.g. "DEV" for development, "PROD" for production)
Create a post-deployment script that does the right thing for the right environment based on the value of the SQLCMD variable. Something like:

if ('$(Environment)' = 'DEV')
begin
   create user [domain\developers]
   exec sp_addrolemember @rolename='db_owner', @membername='domain\developers'
end