Thanks David, This is the best answer on what SAS-VA does and how it works I have ever seen.  The hypothesis I did are also living much more on internet-fora. There is a lot confusion as it also postioned as completely new (sales/marketing) .    

For the security part, very nice you are saying it is a new service in SOA. What remains is the old issue of the security implementation that has always been there. Working with analysts (reporting or advanced) is transferring some repsonsibilties of IT to the users (self-service). At IT organizations this is often not possible not being a part of the architectural frameworks.

No matter what you do technically  (eg the inventory of lockdown) there will be no alignment to a mandatory governance being there.

The SQL-injection was not meant literally I am more thinking about SAS-code injection. As soon as there an option to define/insert code by an user/programmer it can be abused in a similar way. It is the already mentioned trade off by end-user self-service.

SAS VA 6.3 (users guide) is supporting customizing code (chap 17). Chap 18 is about scheduling and mentions DI as possible part of a SAS-VA deployment.  When you would AMO add to SAS_VA, I assume Workspace servers being added, the same way as BI/DI server. Workspace-Servers running by a high priviledged account are possible sensitive to security breaches.

I understand your concern about access to LASR from AMO, EG and DI Studio and whether those access points are secure.  The LASR server is quite secure-- even a user that has the ability to write any SAS code they want can only access LASR tables if they've been given explicit permission.  There's two security models, but one or the other is always in play and without permission, you can't get in.  There are, of course, best practices that should be followed to ensure that data is secure.  Even a building with the highest quality locks is only secure if the doors are closed and locked.

David,  That is another good addition.   It is very nice having got these answers from you.    

I am somewhat disappointed  how SAS did the security at the BI/DI server platform. It is missing major guidelines (global = standard of good practice) and missing the impact of imbedding that all well in the OS-security.  A building should also be served for users as the beste security is not having any usage at all.    "A FALSE sense of securityis worse than being unsure."

got it....