All users should have be added to the database with the public role only. Specifically, nobody should be given the roles db_datareader and db_datawriter. The DbGrants.exe tool will remove users from these groups when it is run. Running this tool is part of a standard database update process.
Users are usually added in the application, via the Superuser menu. If users are added with database tools, e.g. if there is a need to add users in bulk, there is a stored procedure in the FastTrak database that should be used:
EXEC AddUser 'domain\user'
Role membership should be managed exclusively through the FastTrak application, via the Superuser menu, except for the db_owner role which can be given with database tools.