Thanks @gbritton.
So currently we use Windows security for UI access. If Joe has permission to read/write then he can actually use Excel to access the database even though we would like to deny this.
Thus the problem.
Note permission is currently through AD Group.
I needed to create the execute role a while ago during one of the security tightenings.