@cwhittle see how the RoleAssignment has a RoleTarget within it? Does the nativeIdentity of the RoleTarget match the nativeIdentity of the Link (AD account) object on the cube? This includes casing. If it is off at all, the role does not properly detect the associated entitlements. This can happen if you provision the account in all lowercase for example but some parts of the account DN are aggregated back in uppercase, etc. due to how the domain is configured. Or the account gets renamed directly in the domain or something.