• When logging into NSX with a user that belongs to multiple vIDM groups that have different NSX roles applied, permissions of only one of the NSX roles getting enforced.
• No error occurs related to this, but expected NSX permissions may not be present. 

VMware NSX before version 4.2

VMware Identity Manager

• In the reported scenario, since VIDM groups were mapped to one NSX Role each, NSX creates two separate internal RoleBindings on root path '/'.
• While consolidating the Roles for the user, only unique paths were considered along with the roles.
• Because of this, the second role entry with the same root path '/' gets ignored. 

This issue is resolved in VMware NSX 4.2, available at Broadcom downloads.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

Workaround

• Remove the extra role binding or group membership so only the needed role gets applied. 

This issue needs DEBUG logging to properly identify. Please open a new support request if this confirmation is needed referencing this KB and assistance will be provided to gather the needed DEBUG logging prior to reproducing the issue.