I have the backup and haven’t been successful in duplicating the issue as of yet. I have sent you some additional questions via PM as I am referring to specific tags within your data.
For a Vision project upgrade, if you intend to use Tag Security then you will need to manually add the roles on the Config > Security > Security Levels page. While everything should work on upgrade, any changes to security on tags will require this be configured.
As for keeping Roles in Sync with security levels, unfortunately it is a manual process at this time and whenever a new role is added to the DB you will have to manually add it in the Security Levels UI. This is true for both Perspective and Tag Security permissions. We have an open feature ticket to make this better as we know this is far from ideal.
The current permissions you have after upgrade came along with the definitions of the tags. When you configured the tag pre-8.0.13, you explicitly put Roles and Zones into the tag definition that was stored and it looked/looks like the following:
On upgrade that explicit definition came with the tag, and our code handles showing it as the 8.0.13 equivalent. As soon as the permissions are changed in 8.0.13 to something like read access for roles only, the old definition is removed and the definition of roles for that tag that the system inherited from pre-8.0.13 is erased and the 8.0.13 definition is added. This looks something like the following:
Since the previous definition of the roles have been erased, the only source of truth for known roles Gateway has is the Security Levels screen. I know it is a bit convoluted, so let me know if you still have questions.