Here's an odd thing we've seen a couple of times... When creating a new role the ACLs sometimes don't work properly. Only seen this on our lab environment, which is a clustered pair of 7005 controllers runing 8.5, with a virtual mobility master.
First time this happened the implicit deny at the end of the ACLs just didn't work. More recently my colleague was testing config for a new role and some of the rules didn't work. After spending a long time trying to figure out what was wrong, removed all the ACLs, re-added them and it all works.
I can't recreate this reliably, so there's no point raising a TAC call about it, but thought I'd put it out there in case anyone else has seen similar weirdness.