Business Objects reporting over NetWeaver - Best Practice

I have  delivered a number of Business Objects projects reporting over data held in NetWeaver BI and are frequently asked what is SAP best practice.   In the absence of any formal over reaching best practice I believe the following to be true.

Where security best fits across and integrated landscape

The best practice approach to integrated security is to allow each application to do what it isbest at.

Business Objects XI Platform

• Secure what Business Objects applications a user can access


• Secure what Folders and Reports a user can access

Business Objects Universe

• Secure the data rows returned to a user buy integrating the universe and BEx queries.

SAP BEx queries

• BEx Queries offer a flexible extension to the data modelling environment. InfoCubes require more effort to change


• BEx Queries offer significant functionality to create customized data sources that meet end-user requirements, such as Calculated Key Figures, Restricted Key Figures and SAP Variables


• In the OLAP BAPI interface, not all BW metadata features can be retrieved on an InfoCube level.


• Secure the data rows returned to a user within a report with data restrictions by way of SAP authorisations.

SAP BI

• Analysis Authorisations are to be  used to control access to data within reports

Summary

Therefore I suggest  to maximise integrated security the best practice approach is to create universes over BEx queriesand manage data restrictions by way of SAP analysis authorisations, with BOBJhandling who can see what folders and objects via InfoView.