SCM 7.0 / APO Security

With the new analysis authorizations concept the use of organizational restrictions within an ABAP roles is obsolete. Other than the three SAP recommended authorization relevant objects what other objects are must haves for authorization relevant objects in APO. Did you use location or planning book for any of the infocubes? The SAP security guides are product and point to many obsolete links. Is one approach better than another? What solutions did you use to prevent the creation of thousands of individual roles? hierarchies? paths? etc? Is there a thread related to SCM 7.0 authorizations lessons learned. I found quite a bit related to BI, but nothing for SCM/APO.