I found that a non-Admin user was able to access the Database options page:
https://.../Dragnet/ListDatabaseOpts.aspx
It seems that Dragnet is not authenticating users for each page. Given the url for a hidden button, a user can actually access it?
User authentication at page level
Moderator: SourceGear