+ do we support security constraints for logical entities? (can see datasource "Foo" but not datasource "Bar")
++ relates to "model-reference issues".
In the long run (AS 9 or later), we should make this possible. For now, none of the permission schemes we've seen have required support for this.