I see Navision uses SQL application roles to manage user permissions to select, insert, delete data in its tables.
I see that for each navision user, exists a SQL database user with the same name.
Relation between nav roles and sql aplication roles is not direct. It seems there are as many SQL application roles as diferent sets of nav roles are applied to all nav users.
Anyway I guess there is some place where it is stored which SQL application roles each user must use. Do you know where it is stored this info? The SQL application roles names are a litlle criptic... Do they have some meaning?
Well "enhanced" is strange mechanism. As it mentioned here it has a "activation mechanism" for application roles and almost no documentation (even on administrating level).
As far as I understand this is the way it meant to be used: you enable enhanced level and administrating users and their roles in Nav, after that you develop (or use) third-party application that uses Nav data through SQL Server directly (loosing all business logic of course). In this case you can use same user credentials both in Nav and in the application and have same access level to the data (and same restrictions). But this does not mean you can manage permissions outside of Navision. Moreover because of mentioned "activation mechanism" the only place to manage security is classic client.
In case of standard security application user will have SQL-managed set of permissions and Nav user will be restricted by Nav Roles. And be the happiness.