Is there a way to prevent users from getting into SQL Server Management Studio so that they can't just edit table rows manually? They still need to access the tables by running my application.
easiest way: add the use to the db_denydatawrite database role
You can use a logon trigger that checks the login and the APP_NAME() like '%Management%Studio%', and if it's user(s) you don't want, cancel that login.
Our users have no SELECT permission on tables, let alone UPDATE/DELETE - only EXECUTE on Sprocs.
We do have some VIEWs that they have SELECT permissions on. And we do have some dynamic-SQL stuff (i.e. where EXECUTE permissions on SProc is not enough) where we impersonate another user (via a CERTIFICATE / whatever)
Thanks to all for your responces