Here's an example from a recent troubleshooting session. A user could login, but did not have any inventory available in the web client. Huh?
Why would this happen? First, it is not because you forgot to add the user to the SSO RBAC list. If you had, they wouldn't even be able to login. No, you did that correctly.
It was probably because, as in this case, you added the user to a group in SSO that was not configured for actual inventory permissions. All you need to do is add that group in with the appropriate RBAC roles to the appropriate inventory-level object.