Method / Data Directives security

I discovered this security variance last month and finally had a minute to dig in: Access to Method / Data Directives is controlled only by their nominal security groups, regardless of security maintenance configuration.

  • If ‘allow access to all users’ is checked, only members of these groups can access these menus.
  • Allowing any other security group access in security maintenance doesn’t provide access to these menus, unless a user is also a member of the nominal security group.
  • If the method/data directive groups are added to the list of disallowed users and groups, they aren’t disallowed access.
  • If ‘disallow access to all users’ is checked, members of the method/data directives security groups are not disallowed access.

The Menu Security Audit Report and its data sources only see standard security configuration, which doesn’t apply here. Does anyone have a good way to audit what security paths work this way? I want to make reviewing this variant security method part of my security audit process.