Greetings ,
Hope you are doing well.
This depends mainly on the security model and policies implemented in your organization. Since different data layers are normally managed by different users; therefore, roles need to be controlled carefully to implement enough segregation of duties. In this case, several best practices can be implemented such as defining [roles](https://community.denodo.com/docs/html/browse/latest/en/vdp/administration/databases_users_and_access_rights_in_virtual_dataport/user_and_access_right_in_virtual_dataport/user_and_access_right_in_virtual_dataport#roles) with only needed permissions, implementing multiple global security policies with limited indirect access as well as developing appropriate [custom view policies](https://community.denodo.com/docs/html/browse/8.0/en/vdp/developer/custom_policies/developing_a_custom_policy). For more detailed information, the following KB article describes the[ best practices in designing fine-grained privileges](https://community.denodo.com/kb/en/view/document/Best practices in designing fine-grained privileges in multi-layered virtual models).
Hope this helps !