I have the same issue. I have determined how to give the correct rights to refresh the data.
What I have found is that in order to allow the users to refresh the data I need to give the users access to the universes and Web Intelligence (type of document being refreshed). In doing that the users have the ability to create their own documents and save them to their personal favorites folder.
How do I restrict the users from being able to create their own reports?
It is better to give Custom access level for the security to the user groups.(This is new feature in BOXI3.x versions)
You can deny the rights on WebIntelligence applications , then user can not access the universes.
More to know start from XI 3.0 Security for Mere Mortals