What’s the most secure way to grant a user permission to update in a multisite?

The best way is to define a new role. An easy way to accomplish this is with the role scoper plugin. Otherwise you’ll just have to write that plugin yourself manually.

Here is a basic example pulled from the Codex

$result = add_role(
    'basic_contributor',
    __( 'Basic Contributor' ),
    array(
        'read'         => true,  // true allows this capability
        'edit_posts'   => true,
        'delete_posts' => false, // Use false to explicitly deny
    )
);
if ( null !== $result ) {
    echo 'Yay! New role created!';
}
else {
    echo 'Oh... the basic_contributor role already exists.';
}

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)