As a practice, we've limited all permissions to be assigned only through roles. This limits the locations someone would be assigned a permission. To track down further how the some are gaining access, try to find a user that has access, but the least amount of roles and groups. Then go through and look at the permissions for each role and group. You should be able to find it there. Of course, if some of your members of the HD group also have the Administrator role, they would no doubt be able to access the action.
↧