I ended up knowing this mostly because we use custom permissions w/ SSDT (to handle multiple environments and based on Jamie Thomson's work). Without including the "GRANT CONNECT" statement, we get those wonderful arrows. I'd left them out for a while and caught it when publishing our changes resulted in no access to the affected databases. Many edits later, we were good to go again after each publish operation. Of course before that I assumed login/user mismatch or some similar root cause, but a simple GRANT CONNECT fixed all and was much easier to implement.