Even though the 'Visual Task Board' module was hidden for the users, few users were still able to open it from the incident context menu and direct URL and see the data.

The 'Visual Task Board' module or any module in the application navigator, can be thought of as a link or shortcut to a particular list or item. Hiding the module just hides the shortcut to that link, but it does not restrict the data that customers can see already. If they have the direct link they can still see the board. The menu item from the context menu such as incident list is also a way users can open VTB, so to restrict that conditions need to be applied on the UI action as well.

If the users have saved the direct URL on their favourites, they can still see the data. To restrict that customer can create either READ ACL or Before Query Business Rule on vtb_board table to restrict the visibility of the board to a certain group of users. Here is a sample Before Query business rule, to restrict VTB board access to any users except admins:

if(!(gs.hasRole('admin'))){
gs.addErrorMessage("You are not authorized to view this type of Board!");
current.setAbortAction(true);
}

In a nutshell, it was not expected that hiding the 'Visual Task Board' module will stop the users from seeing the VTB, as they could have opened from 1) UI action from the list context menu and 2) With direct URLs.