Fabian, are you saying that 1) the user can login to studio directly and then they see only the same views they are allowed to see via XS-Engine web server or 2) they see additional views that they do not see via XS-Engine web server.
If the answer is 1 then I'm assuming they can only perform data preview which should be exactly same as via the web-server. ie: they should not be able to view the design or model of the view if the security is setup correctly.
If the answer is 2 then they may be able to see the names of the views inside SYS_BIC however they should not be able to data preview any views that they can not data preview via the web-server if the security is setup correctly. Nor should they obviously see the design or model.
Can you clarify which is the case? Thanks!
-Patrick