I've found using operating system authentication is useful for this. We use A/D groups: I have one for Read only access and others for departmental editing rights. The connection file (.sde) can be transferred between users and it works with just their login. They will know their password, but they don't use it when building a connection file with operating system authentication.
For example, Sally is in the Utilities department so she is in the GISDB_Read and the GISDB_UtilityEditor A/D groups. In the GIS database the groups are given rights on each layer/table/dataset. Sally's connection file can be called GISDBAccess.sde for instance and it can be copied from her profile to Jim's profile on his PC. When Jim connects to the database Jim's connection is using the Operating System authentication for his Windows account and he will only have the rights that his user has based on the A/D groups he's been assigned to. I hope that makes sense and helps. You can reach out if you have any follow up questions, mnorthey@ocalafl.gov.