When users manage their roles through VIDM groups from VIDM UI, then even though a user is member of multiple VIDM groups, RBAC is enforced using only one of the groups.
NSX 4.1.1.0 with vIDM 3.3.7.0
In the reported scenario, since VIDM groups are mapped to one NSX Role each, NSX creates two separate internal RoleBindings on root path '/'. While consolidating the Roles for the user, only unique paths are considered along with the roles. Because of this second role entry with root path '/' gets ignored. This issue happens only when role assignment is made through external group
membership.
This issue is resolved in VMware NSX 4.2.0
Workaround
Add a user to only one VIDM group and add multiple NSX roles to only this VIDM group
When user manages their roles through VIDM groups from VIDM UI, then even though user is member of multiple VIDM groups, RBAC is enforced using only one of the group. Hence if a user is mapped to a single VIDM group and if that VIDM group has multiple NSX roles, one should be able to workaround this issue.