To allow Users access on dspCompose Request Pages, they need to be separately added to the WebAppSecurity. It seems that Security Roles aren't used by dspCompose. I would propose that dspCompose's User List recognize the Security Roles where specific Users have been added to. So users only need to be added once to the Security Roles and not as well separately to the WebAppSecurity.
(BOA Support Ticket Request #3413)