In NAV there should be the role “SECURITY” which should be the right one. In SQL Server the login should be assigned to the server-role “securityadmin”.
Database Role db_owner is only required to insert tables.
We have configured our system so that each company have one dedicated super user who is allowed to change the user permissions. But they are not a member of the SUPER role in NAV and do not have, but they are a member of the securityadmin role in SQL. And on the other hand none of our developers/consultants are allowed to change user permissions.