The order in which the PathCheck directive occurs in the https-server-id object tag in the generated.https-server-id.acl file might grant undesired access to resources. To prevent unauthorized access, edit the <server-root>/generated.https-server-id.acl file, specifying a comma-separated list of program groups for which access control is required, as shown below:
Below the line:
allow (all)
user=<username> and program=<program group, program group...>;
add the following line:
deny absolute (all)
user=<username> and program!=<program group, program group...>;