A user is granted connect, then granted select on certain tables. Instead of being limited to only those tables the user can access all tables.
The data base had been configured as READ_ONLY; this entry was found in the acuxdbc.cfg file:
Therefore the GRANT operations could not actually update the tables containing the security settings.
The solution is to set "read_only false", or to comment out that setting, then perform the GRANT operations.