Users have found that additional permissions are showing on the "Permissions" tab in System Security Roles. These Permissions appear to be permanently stamped onto the System Role and can not be removed.
This was addressed via one-off, data-specific script.
If these "ghost" permissions appear on your System Role, you can prevent access to these roles by locating the feature permission and setting it to DENY under assigned feature permissions.
Steps to Duplicate
1) Navigate to the Application User 2) Note that the App Users system roles have additional permissions assigned under the Permissions tab. 3) Click the System Role 4) Click the Permissions tab 5) Notice that additional permissions exit on this system role. 6) Click Edit Assign Permissions 7) Notice none of the Assign permisions are granted. 8) Click the Features Tab > Edit Assign Feature Permissions 9) Navigate to the Security Folder: Constituents > Edit Forms 10) Note that the Constituent Lookup ID edit form is not granted. (this is an example permission) 11) Close the Edit form. 14) Search for any constituent. 15) Notice that you are still able to edit the Lookup ID