After creating a user in Identity Governance with basic role, the user is still able to see all the tabs in the management console just like an administrative user.   

How can the basic role permissions be enforced? 

By default, CA Identity Governance Portal security is disabled. When a user logs in using a recognized user name, the Portal does not verify the user permissions and there are no limits on what the user can view and do.

This behavior is governed by the parameter: 

sage.security.disable=true

This parameter will need to be set to false so that only the specified permissions are allowed for the user. 

Once the value is set to false, restart the application server.  

For more information, see:

14.5 Documentation - Governance Security and Encryption