Super odd, but maybe someone can clarify:
Security group 1: Does not have access to Sales Management. Has access to Material Management.
Security Group 2: Has access to Sales Management. Does not have access to Material management.
I assign both to a user, yet that user only has access to Material Management… what gives?
Is Security Group 1 specifically denied access to Sales Management? Not just set to Default where Default is Deny, but directly set to deny?
Yes, group 1 is set directly to deny on sales management and the default for sales management is allow.
Is this just now an issue on 24.2.11, and was working before?
I’m not sure how exactly Epicor handles that situation. I generally create new security groups for different access, rather than adding multiple. I wonder if there’s a hierarchy of some kind. If you remove security group 1, save the user, then add security group one back (so that it’s second in a hierarchy) maybe the “Allow” from group 2 will override the deny from group 1?
I have this in my notes regarding Security. I believe this indicates that the ‘deny’ has precedence over ‘allow’ so you won’t see it.
So that’s the thing… I have two security groups assigned in the manner above, so even with that hierarchy, I don’t understand why they can’t see Sales Management.
I was told the security is cumulative.
Long ago, we were told by some consultants working for us, that we should do security as Deny or Allow, but not both because it’s too easy to break it. We chose the Allow route. Just my 2 cents 
That’s what I observed during implementation. If ‘deny’ is applied by one security group, it can’t be overidden by an ‘allow’ from another. I gave it some thought as a way of encoding separation of concerns but decided it wasn’t worth it. If that behavior isn’t set in stone it can change over updates, and auditing security after updates is already more than enough of a chore.
Thank you all.