As you would expect for maximum security, the only allowed access is via a stored procedure from a group.  In database scanner, group and role mean the same thing depending upon which version of SQL Server you are using.  You will most likely need to make compromises on this screen depending upon your environment.  It is really too bad that everything is an all or nothing approach.  Many of the environments I've been in are set up such that a particular group(s) can directly hit tables while most of the other groups can't.  You have no such granular capability and instead have to rely on ignoring some of the violations that are thrown.  The one option that doesn't work against a 7.0 server is the detection of whether permissions can be delegated.   This feature relies on someone using the grant with grant option.  One of the main failings of security in 7.0 is that any member of a role can add any other user to that role.  Most 7.0 sites have gotten lucky simply because most people don't know this barn door exists in security.  Database Scanner does not detect this problem.  I haven't encountered a problem it in any environments yet, because I manage permissions the hard way due to this problem.  I do not use roles to manage security with the exception of fixed server or database roles.  I individually grant access to users, because they will not have authority to grant access to someone else.  The role concept was well done in 7.0.  The implementation of roles was poorly done.

Database Scanner 3.0.1 1 2 3 4 5 6 7 8 9 10