We are facing issue with license setup vs access rights. 
We did verify the instance, OBS and global rights for that resource but we are seeing few rights at license portlet(of type FULL) those not there at resource access rights level. 
Resources with no groups have ‘mystery’ additional rights which cannot be removed.

After further digging from SAAS side, we see Rights by User portlet is using views in the query which might be creating this discrepancy (user account access rights and Rights by User portlet results are not same). 

     FROM     cmn_sec_groups_v s,cmn_lic_lookup_v v,cmn_sec_users u,cmn_lic_right_v r
         WHERE    s.id in ( SELECT right_id
                        FROM cmn_lic_users_v
                        WHERE [email protected]:param:xml:integer:/data/user_id/@[email protected])
         AND      EXISTS (select  1
         FROM    cmn_sec_chk_user_r_v0
         WHERE  object_id = 1
         AND  permission_code = 'AdminAccess'
         AND  user_id = @WHERE:PARAM:[email protected])
         AND      @[email protected]

Release : 15.9.2

Component : Clarity Users, Groups, OBS Administration

It was identified that user has rights directly assigned at the Department OBS unit level and that was the reason some users were getting additional rights. Removing those rights from OBS unit would reduce license count because users who assigned to those units will no longer getting those additional rights.