This is definitely a security issue. There is a couple things here that you should correct.
1. Don't use PegaNBAM:Agents as your primary access group. This is access group used in the backend for the agent schedule rules and REST service package rules. It is not intended for this to be used by any operator. To set up this access group correctly, please ensure that the access group has your implementation application set and that your design time configuration setting on the advanced tab of the access group rule is set to the artifacts ruleset used by your implementation application. See attached images for example.
2. Ensure that your application has unlocked ruleset versions. For the artifacts ruleset, there can only be one unlocked ruleset version and it should be the highest ruleset version for that ruleset.
3. To set up a working security setting, the easiest way is to do a save as of one of the ones shipped by Pega Marketing for Financial Services. But I have attached a copy of the sample analyst access group that you can model yours after. Ensure that your access group has your implementation application defined and the design time configuration for this access group is also set to your artifacts ruleset (similar to NBAM:Agents).
4. Once, you do this you should have the ability with your operator to checkout and save or save as these rules. And depending on your PRPC version, the location of the save button may not be the same. In newer version, the Create button is on the upper right hand side. See attached screenshot.