With edit permission on the app but read only permission on the resource, the user should see this message when trying to edit or creating new queries for that resource:
Check the permissions for the 'All Users' group. All users within an org are part of this group. I recommend removing access to all Apps, Resources, and Workflows for this group and setting up granular permissions for all other groups.
