Best Practise is to have an app which does all your transformation, then you have the last app that will only have the front end and will not have any transformation. They are usually three Tiers, were tier 1 just pulls the data and stores into qvds then tier 2 will do all the transformations then tier 3 will only have frontend. On Tier 1 and Tier 2 you will drop all the tables once they are stored into QVDs so that maintenance is quick and easy.
I created an app, did the binary load, created the section access. the funny thing is that I don't have access to that app once I load it, maybe because my user name is not in the list of users in the UserTable.
I would advise creating the security layer when you are loading the data into the dashboard before you create the app as you will have data in the app and that could be sensitive data in wrong hands. What I always do, is to create an admin user for me to work and knowing my information is safe until you done, then add all the other users.