Have an incident where users can bypass the restricted group access by logging in via Self Service Console. If you have an APP account setup, but do not have the appropriate RSA group assigned, you can still log in to the APP site by bypassing the login screen and logging in to the self service console first.
You should open a support case for this, so we can discuss if there is a configuration issue or a bug. Discussing this here might reveal more about what you have set up, that should not be revealed in a public space. My first questions I would be asking....the answers might not be appropriate in this forum and may be too revealing about your operation.
EDIT: you now have a new support case for this