I don't want to give DROP or ALTER access to a reporting userid in the DB. Is there a big drawback to allowing the CREATE VIEW and not giving ALTER or DROP to the user? or am I trying to be too security conscious?
Do they need to regularly or urgently alter or drop? If so, give them the permissions.
If not, let them go via a formal channel to request the change.
Always give the least privilege possible, that's not "too security conscious"