You recommend using MENUAUTH instead of MENUITEM to cover SIGNOVR for the action profiles. TRANSFER potentially allows users to break the migration path, therefore we also want to restrict use of TRANSFER. Only MENUITEM covers TRANSFER. We do not want to use both MENUAUTH and MENUITEM, that is mostly redundant and too complicated. We want ti restrict use of both SIGNOVR and TRANSFER without restricting anything else (in accordance with the APE principle of relying mostly on package approvals to grant permissions) using either MENUAUTH or MENUITEM if possible.
Question: if we use MENUITEM, require UPDATE access for SIGNOVR but READ access for the other actions, and selectively grant some people UPDATE access for the various actions that support SIGNOVR such as ADD, SIGNIN, etc., then would only those users with the UPDATE access be able to execute sign out override?