I created a normal users, with no 'Technical Features' access rights granted. I logged in with this user, and opened some screen. 

Now I logged in using the admin user, opened the 'users' list view and got the 'action' # from the url of this view,

http://localhost:8069/web#page=0&limit=80&view_type=list&model=res.users&menu_id=85&action=76

From the user's url I changed the action # of the current view to be 76 same as that of the 'users' list view.

The user, which has no access rights to the 'Technical Features' was able to see the 'users' list view

Moreover, he can access groups and other technical features by changing the action id from the url

I don't need this user to see these data.

How to prevent this behavior or work around it?