Thanks. I was already thinking of doing the "alternative". It would probably be better long run as I won't have to remember to revoke everything for new users/roles.
I've experienced a similar problem to this one. In our case, the problem existed in the Network Layer, well below anything you have direct control over with your code....