I found a bug or security vulnerability

If you define a custom menu, all technicians can click on its options, and if one of the options in this menu is access to ESM portal settings, technicians will be able to view/edit it, etc.

For example, if one of the menus is

https://localhost/ESM.do?type=users&viewType=list

That technician has full access to all ESM portal settings