Today in our BW system we secure end user access by defining the datastore security access and the query access on the datastore using a naming convention. So for datastore OM_C01 we would define access to a user as infoprovider OM_C01 and Query OM_C01*. Since users do not have developer rights the users only have access to the fields and formulas we have defined in the queries.
If we start to develop Crystal reports using MDX as the driver directly to the cube and give users access to the query, how would we prevent a user that has Crystal installed locally with the SAP integration from having direct access to the cube to "develop" other reports with access to the entire cube?