The user being created was no different than what `be_allowed_for` was
doing behind the scenes so we were essentially testing all user-level
accesses twice.