Row/Table level access controls don't work; you can't model use cases like "a user may not insert an order if he has 3 ore more unpaid invoices" or "a user can not insert anything until his password was changed in the last 30 days" etc. We have been there, it doesnt work. Thats why we use service layers of the DB to assert business logic.