I grant database permissions to new database roles I create. Then I assign logins to this new database role. The database role names all begin with "permission_" so they are groups together and I can differentiate them between system databases roles and roles I created.
