This is a rather vague issue but I will try to describe it as concrete as possible. At the moment we still have all our users in user groups according to the different departments each with a role with the same name. This is still a remnant of the old 9.5 suite (we are on 2018.3 now) and we plan to make entirely new roles based on our application rather than on the organizational structure. For now we have the issue that after creating a new role and applying it to the database many users get select permission denied messages on unrelated objects in the application. It was only after removing the added role from the database and IAM and reapplying all the original roles that users regained their intended access.
We can't really figure out why this happens. We will be conducting tests outside office hours so we don't bother our users again with this little hiccup. I was hoping to gain some insight here though so we better understand the possible effects of new roles on existing ones and potential caveats to keep in mind. Some kind of short best practice could be really helpful.