Whether v7 decides to go Crystal or Windows Reporting there should be security within Jiwa which will allow users to see (and run) reports or have them invisible.
Classic example is where users have no need to see General Ledger stuff, but currently the reports are still executable. The reports should also be restricted via user (or role) security.
I know that we can currently control report execution at the SQL level by setting SQL security based on the JiwaReports user, but that is cumbersome & technical & needs to be done by us JSPs.
cheers