Suggest verifying that the role is being recognized as expected: Using SMC, give your new role "Administrator" capability, then verify that any user in that role has administrator permissions (able to create anything)
If not, then perhaps we need an intermediate Group object:
Typically, [Users] are members of [Groups] which are in [Roles] which have [Capabilities]
Other variations are certainly possible (and should work), but this is the most well-worn trail.