It's very difficult to stay in control over whether a user can access a map or not. An extension to Administration/Users' permission tab would fit that need. Sadly, it's quite a bit of work to implement, since API functions can't be used there. An indication of the reasons would be very valuable for debugging.

As a side note, I noticed that labels are not checked for permissions. While a map containing a label like

is accessible, the label will result in "???", if host permissions are not accordingly. That might be worth a word in the documentation.