If you have used the Security Configuration area within D365FO to remove security layers in the past, you may have noticed that there are certain security features that still show these removed security layers. To demonstrate this we will be utilizing the Security Diagnostics feature for this blog post. For those that may not know, this feature allows you to see all roles, duties, and privileges that have access to a form you are on.

To set up this scenario if I create a custom security role (alex_123) and assign the Accountant role as a subrole and navigate to the VendTableListPage menu item, then go to the Options -> Security Diagnostics I will see the following:

So we can see the alex_123 role has access to the VendTableListPage as we expected. Now if I go and remove this security layer via the Security Configuration form, and then come back to this screen I will see the following:

While the role label is no longer present we can validate that the entry is still there by comparing the Object Identifier column, so what is happening here? While we can validate that the role itself was removed, it is not being properly cleaned up in all security tables which means there are now dead/broken references to it which the Security Diagnostics page is picking up. So how do we fix this issue?

The easiest solution I found to fix this is to head to the Security Configuration area of D365FO and executing the Data -> Repair operation:

Once this has completed, if we navigate back to the VendTableListPage and run the Security Diagnostics feature now you will see these references are now cleaned up: