One of the things that I often see in our industry is the culture of access control. Security measures are put into place, because you wish to restrict access to a certain thing. Systems like HRIS need such restrictions, as private information should not be publicly available to the company. However often systems that don't need security controls put into place end up having them.
Most people understand where they fall in the business, and the authority delegated to them.