Update! Added the Dataclass and Filters top level items as they also needed fixing. Also I added a reference to my original SP1 to SP2 upgrade post, with steps for fixing the issue [1].

####

I attended an upgrade for a customer installing MP1.1 on 4 servers in hierarchy (1 parent, 3 children). We had some minor problems when we got started but nothing major:

• 2 servers (including the parent) did not have the MP1.1 upgrade option because SMP 7.1 SP2 was not appearing as installed in SIM. We just ran the upgrade as a new installation.
• The parent configuration went much to fast to be healthy. In effect it did not install most of the products, so we ran the "aexconfig /configureall" manually and this fixed the environment
• One role had been granted undesired rights (inherited from the hidden parent folder)  on main console locations: "Reports", "Console menu", "Settings" and "Resource".

To solve the latest issue we crafted a report based on the following diagram to list the items that roles had access to when they should not:

From this we crafted the following query:

/*
Resource Management guid = 'fec994ae-1787-44c2-b5ec-e94d210838c9'
Reports guid = '4d4d03c6-cb51-4502-886f-13f756198b1b'
Settings guid = '5d9e00c1-146f-478b-a94d-ccbbe89e0347'
Tasks = '297171fd-395f-41d8-a482-ea4271bc9572'
Console menu = 'a2145b77-3df4-4b99-b36d-817d82b920a2'
Filters = 'a725fb57-09e1-4e9f-bb13-b4600094cf61'
All dataclass = 'fdbbeaae-56ed-4c15-8325-79f1fe1a27f3

*/

select i.name as 'Security Role', i2.name as 'Object', stp.permissionguid
  from SecurityACEData ace
  join SecurityTrusteePermission stp
    on ace.TrusteePermissionId = stp.id
  join SecurityTrustee t
    on stp.trusteeguid = t.guid
  join Item i
    on t.Guid = i.Guid
  join Item i2
    on ace.entityguid = i2.guid
 where Inherited = 1
   and EntityGuid in (
		'fec994ae-1787-44c2-b5ec-e94d210838c9',
		'4d4d03c6-cb51-4502-886f-13f756198b1b',
		'5d9e00c1-146f-478b-a94d-ccbbe89e0347',
		'297171fd-395f-41d8-a482-ea4271bc9572',
		'a2145b77-3df4-4b99-b36d-817d82b920a2',
		'a725fb57-09e1-4e9f-bb13-b4600094cf61',
		'fdbbeaae-56ed-4c15-8325-79f1fe1a27f3'
		)
/*   and i.name not in (
		'Symantec Level 1 Workers',
		'Symantec Level 2 Workers',
		'Symantec Administrators',
		'Symantec Supervisors',
		'Symantec Guests',
		'Patch Management Administrators',
		'Patch Management Rollout'
		)*/
 order by i.name

Interestingly enough beware of the result as the effective permissions for specific group can be inherited from other groups as we have role hierarchy that can be implemented (inheriting from the other roles a role is in).

[1] Security Role Manager: Assignment on the Tree Selector Are Not Reflected on the Tree View...