Currently, access is granted based on the user's existing product access. A user needs to have access to all the products used by the app to access it. Let's say the app uses Analytics and Campaign, a user needs to have access to both to be able to use the app.
We'd love to be able to offer more flexible and customizable access control -- but that's definitely more on the future-looking side for us at the moment.
I'd suggest being on the more cautious side exploring workarounds at the moment because the forced access control is put in place so that enterprise users would not have access to data that they are not provisioned with.