By default, CA Identity Governance Portal security is disabled. When a user logs in using a recognized user name, the Portal does not verify the user permissions and there are no limits on what the user can view and do.
This behavior is governed by the parameter:
sage.security.disable=true
This parameter will need to be set to false so that only the specified permissions are allowed for the user.
Once the value is set to false, recycle Jboss.