I am working on an ASP.NET Core Web App that needs to talk to two different SQL Server databases. The Web App is running under a Windows Service Account in IIS that is specific to this app, app pool, and server. I have real Windows users that will be using this app via Chrome for various CRUD operations. I am being encouraged to follow the Principal of Least Privilege and split out the Read actions and Create/Update/Delete actions into two separate accounts, for each database, resulting in 4 accounts accessing SQL across 2 databases.