I would first suggest checking the user profiles to see if they have *ALLOBJ authority (this will override any authorities that you specify at object level).
Hope this helps,
Also, check the *PUBLIC authority on the file. Is it set to AUT(*AUTL)? If not, then authority checking for the file might never be redirected to the *AUTL.
And check file ownership. Is it owned by a group profile? Any member of the group may adopt group authority. Is any user on the *AUTL a group profile? Same story. Was authority granted to a group when the file was created? Check your profile to see if you have a group and what the group action is for created objects.
And, apart from the *AUTL, are there any private authorities on the object itself?
And, what programming is in control when queries are run? Is the call stack operating under adopted authority?