I've never used Crystal Reports, so I don't know how they work, so I can only answer in general terms.


Something/someone must always be able to "see" the database in order to extract data from it.

You could - I guess - make a data access layer which handles the access to the database, and then simply deny all other users (then the one in the data access layer) access to the database.
Whether that would solve your problem(s) - I don't know off.
This layer would be able to return datasets, lists of objects etc.
The way to access this layer would then depend on how you can integrate it with Crystal Reports - whether it is possible at all I don't know, or whether Crystal Reports must access the database to work with the data.


Otherwise - as you say - use SQL Server security to set up a method in there for people to access the data. Deny reading/writing to tables for the Crystal Report user(s)/logins and give access to viewes/stored procedures etc to compensate.

But you can never fully hide the database if you wish to use information from it.