Scope: managed applications, ordinary applications.
Upon developing configuration roles, make sure your methods of granting access rights to metadata objects do not allow creation of roles granting access to object fields and not the object itself. Otherwise, it causes access rights issues at the deployment stage. Users might be granted access to all metadata object attributes if such roles are assigned to them.
Select the "Set rights for new objects" check box for the FullAccess role only.
When you add new roles, select the "Set rights for attributes and tabular sections by default" check box and clear the "Independent rights of subordinate objects" check box.
If you need to assign rights to specific fields of metadata objects in a role (view, edit attributes, tabular sections, dimensions, commands, and other without granting rights to the object itself), preliminary take the following actions. In the role, select the "Independent rights of subordinate objects" check box and clear the "Set rights for attributes and tabular sections by default" check box. Also clear access rights to all attributes and tabular sections.
Whenever you add new objects or fields of existing objects in a configuration, configure access rights to these objects and fields in the respective roles.
Example of granting access rights in the AddEditContactInfoKinds role: