Nice post on SSAS security. That is a part of SSAS (and most products for that matter) that is not reviewed enough in my opinion.

I have used many of the same methods that you are using to define roles except I am doing it in a production environment and using actual AD account names versus local Windows user names. Downside there is that I cannot create roles based on groups unless I create a Windows group and put the AD accounts in there or there is an AD group with the users in it already that I can then use in my role. Where there is a will there is a way!

Have you tried using perspectives in SSAS as well? Also, did you attend any sessions on SSAS partitions and aggregations?