This is tough to trace, especially sharing. I believe inherited shares for example won't show in the sharing dialog box for the record, and this is likely where its happening, I'd look to parent record relationships, it could be caused by the parent being automatically shared with the original owner for example.
I think there are some security checking tools in XrmToolBox that may help you with this.
James Abraham Practice Lead – Dynamics 365 firstname.lastname@example.org | T +61 8 7333 4214 | M +61 439 873 354
Level 2, 8 Leigh St, Adelaide SA 5000 | empired.com
You may want to try using the XrmToolBox with the plugin "Privileges Discovery". Using this plugin, simply select the "Read" privilege for the Opportunity entity, and it should show you all of the security roles that grant this privilege. Once you know which roles are granting the privilege, just check to make sure that neither the user or any of the teams that user belongs to has been granted a role that would allow him/her to read the entity.
Senior Programmer Analyst
6800 France Ave. So, Suite 600, Edina, MN 55435
If you've found this thread useful, dive deeper into User Group community content by role