Oh, and I would also not rule out the possibility that one of the internal objects is to blame, to which users need access, and not all of them are documented.
If you can't resolve it by giving users report read rights to their executable objects (such as jobs), you might want to see
this thread; you can configure "audit failure" messages which would then tell you which rights are lacking.
Disclaimer: while the concept appears sound, I have not tried this myself, no idea how useful the results will turn out to be.