Data security for multiple data sources

Dear BO guru's,

I am struggling with a brainbraker on authorizations on Universes since quite some time.

I am not a BO guru so hopefully someone can help me with this.

I (more or less) know the concept of data security in BO: users can be restricted on data level in (mainly) two ways:

1) with roles in CMC and with restrictions in Universe Designer.

OR

2) with a DB table that contains all authorized values per user and per field (i.e. John can see data for country UK)

The first is easy to set up, but hard to maintain.

The second is difficult to set up, but very flexible.

Now here is the problem...

Supporse your BO server is connected to different source systems (i.e. an SQL server, an Oracle server...) and you want only one universe to get data from all systems at the same time and display it in one report.

If I am not mistaken, this means we need a data federator.

...My questions:

1) Is there a possibility to do this without a data federator (but still have one universe to build my report or dashboard on)?

2) Where do I keep the table with authorizations for the users? Is that a database of the BO Enterprise server, a seperate data base, or in a table of one of the source systems (SQL, Oracle...)?

As this questions keeps me busy since long time, I would be very grateful to have your help.

It seems hard to find information on this.

Thanks a lot in advance!

UniverseDummy