I couldn't find anything on the internets to pinpoint the issue, so I'm writing it up in case anyone else runs into this.
As far as I knew the only reason the role would get skipped was if the user was an SSAS Admin, which like I said they weren't.
Running a SQL Profiler of the SSAS instance and logging in to the cube as the user showed me a Session Initialize value of "*, model access" which means they had access to everything (*) and to our one role "Model Access" (if specifically selected).
If I ran it as me, an SSAS Admin, I got the same exact thing.
Running as a user who was not having access problems showed only access to "Model Access".
So how were they bypassing the role even though not specified as an SSAS Admin in the Analysis Server's properties?
Local Windows admin.
Somehow an AD group the user was in was included as a local admin on the Windows server of our SSAS service. And if you look in the SSAS Admin list the local Administrators group is not listed there, so it might not be the first thing you think of when troubleshooting this kind of access.
There is an Advanced Property in the Analysis Service instance's settings called Security > BuiltinAdminsAreServerAdmins. If you want to include all the local Admins to see all the contents of your SSAS cubes you can leave it enabled (true), but if those users are not the same users who should have full data access you will want to disable that option.
Bradley Schacht's blog post describes how to turn this off as well as the dangers of shutting it off before adding people/groups as SSAS Admins.
Hope this helps!
