At Cognos 10.2.2 it was possible to hide report logic from users by giving them only execute permission to a report.
It seems CA requires Read in addition to Execute to run report (as the simolified "Run" gives).
Also in 10.2.2 it was possible to hide package metadata from users by giving them only execute permission to the package. CA requires Read to the package to be able to run a report against it (and when user has Read, restricting Capabilities of package is irrelevant as user can make a private copy of it).
Please prove me I am wrong...
Update: An obvious but slightly awkward solution to running a report using a package without read permission is
- make report be owned by a user having read permission to the package
- to set the report to run with owners credentials
- grant less powerful users permission to use this "power users" credentials.