Two approaches are possible to build security for a SAP BI-BO Integration project.
Restrictions on both SAP BI (viz. InfoAreas / SAP BI Queries) and BO (Folder, Report, Activity).
This approach is bit more complex, but would also handle situations where BO may not be used directly on top of SAP BI (viz. Data export from SAP BI using Open Hub to other down-stream systems.)
Handle security at only BO Level and do not restrict at SAP BI Level.
This approach is dependent on BO for the current project to handle security & is more flexible. Security is handled at only one level. It could be a potential risk / an audit issue, since there is a dependance on future projects' to always handle security appropriately at their end.
Request your suggestions / best practices; to freeze to one of the two approaches.
Rajesh K Sarin