When the Human Resource Scoped App: Core plugin, records with empty roles may get added to the sys_user_has_role table for admin users.
This can be due to missing plugin checks for Contained Roles records when the common Human Resources: Scoped App: Security dependency is installed.
For example, when HR is installed, sn_hr_le.admin role (94563e2f3b032200705d86a734efc41e) and sn_hr_migration.admin role (5105ef1d0b632200f9fd064d37673a27) get added to admin users.
Steps to Reproduce
- On an out-of-box instance, activate the Human Resources Scoped App: Core plugin.
- Go to the sys_user_has_role list.
- See that there are rows with empty roles (search for admin users)
- Inspect the system logs and see there are RoleManagementHandler entries warning about adding non-existing roles.
Delete the empty sys_user_has_role records (but do not delete any sys_user_role_contains records).
Related Problem: PRB1248935