When GeoFence option "Use GeoServer roles to get authorizations" is activated, if someone defines a rule allowing a certain user to do something then everyone will inherit those permissions.
For example if we define a rule allowing a certain user to do everything everyone will be allowed to do everything.
This is a consequence of how the filter to select the matching rules is build, when the option above is activated users column is ignored:
To reproduce this issue just activate the option "Use GeoServer roles to get authorizations" on GeoFence configuration page and define a single rule allowing only a specific user to do everything. Logout and try to do something, no restrictions will be applied.
The original use case that motivated this option was very specific and not needed anymore.