diff --git a/ChangeLog.txt b/ChangeLog.txt
index 85deaf28..571c6edf 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -9,6 +9,9 @@ Broker:
   /var/lib/mosquitto/mosquitto.db.new. Closes #1978.
 - Fix potential intermittent initial bridge connections when using poll().
 - Fix `bind_interface` option. Closes #1999.
+- Fix invalid behaviour in dynsec plugin if a group or client is deleted
+  before a role that was attached to the group or client is deleted.
+  Closes #1998.
 
 Apps:
 - Disallow control characters in mosquitto_passwd usernames.
diff --git a/plugins/dynamic-security/clients.c b/plugins/dynamic-security/clients.c
index 50a0922e..de9092dd 100644
--- a/plugins/dynamic-security/clients.c
+++ b/plugins/dynamic-security/clients.c
@@ -35,6 +35,7 @@ Contributors:
  * ################################################################ */
 
 static int dynsec__remove_client_from_all_groups(const char *username);
+static void client__remove_all_roles(struct dynsec__client *client);
 
 /* ################################################################
  * #
@@ -482,6 +483,7 @@ int dynsec_clients__process_delete(cJSON *j_responses, struct mosquitto *context
 	client = dynsec_clients__find(username);
 	if(client){
 		dynsec__remove_client_from_all_groups(username);
+		client__remove_all_roles(client);
 		client__free_item(client);
 		dynsec__config_save();
 		dynsec__command_reply(j_responses, context, "deleteClient", NULL, correlation_data);
diff --git a/plugins/dynamic-security/groups.c b/plugins/dynamic-security/groups.c
index 144b3244..3213effc 100644
--- a/plugins/dynamic-security/groups.c
+++ b/plugins/dynamic-security/groups.c
@@ -44,6 +44,7 @@ struct dynsec__group *dynsec_anonymous_group = NULL;
  * ################################################################ */
 
 static int dynsec__remove_all_clients_from_group(struct dynsec__group *group);
+static int dynsec__remove_all_roles_from_group(struct dynsec__group *group);
 static cJSON *add_group_to_json(struct dynsec__group *group);
 
 
@@ -460,6 +461,7 @@ int dynsec_groups__process_delete(cJSON *j_responses, struct mosquitto *context,
 		/* Enforce any changes */
 		group__kick_all(group);
 
+		dynsec__remove_all_roles_from_group(group);
 		group__free_item(group);
 		dynsec__config_save();
 		dynsec__command_reply(j_responses, context, "deleteGroup", NULL, correlation_data);
@@ -583,6 +585,17 @@ static int dynsec__remove_all_clients_from_group(struct dynsec__group *group)
 	return MOSQ_ERR_SUCCESS;
 }
 
+static int dynsec__remove_all_roles_from_group(struct dynsec__group *group)
+{
+	struct dynsec__rolelist *rolelist, *rolelist_tmp;
+
+	HASH_ITER(hh, group->rolelist, rolelist, rolelist_tmp){
+		dynsec_rolelist__group_remove(group, rolelist->role);
+	}
+
+	return MOSQ_ERR_SUCCESS;
+}
+
 int dynsec_groups__remove_client(const char *username, const char *groupname, bool update_config)
 {
 	struct dynsec__client *client;