We generate user menus from DEM (modus Business Process Browser).
We also generate the session authorizations.
It seems like DEM generates much more session authorizations than as used in the DEMS. I know that there are some zoomsessions which will be authorized too in this way.

But If I setup an user with a very simple DEM with only a display session I already see after generating the menu, that the user has also session authorization for a couple of maintain sessions!
Those maintain sessions can never be reached fromout his DEM.

So wat is the logic and why does DEM generate more session authorizations than needed?

I think the reason being that you are trying to include subsessions that must only be called from main sessions.

The zoomsessions as well as the sessions in the zoom Menus make the autorization entries

When we generate a user, all session and models which is given in the role is authorised to him. Subsession cannot be attached in the process model.

The info below is valid for BaanIVc

The generate session automatically searches 5 levels below the modeled session for sessions to give authorization to.
That is because for example by Sales Orders you need authorization also for the lines.
You can limit this a bit, by using the option Excl Low level maintain. Then on the lowest level only authorization for display sessions will be generated.