It's hard to give you an answer on this without seeing your full ANM and ACS configuration, so it would probably easier if you open a TAC service request to have this investigated further.
Anyway, from what you described, I assume you are trying to do remote authorization (in which, you would not need to associate the user with a role on ANM). For that to work, when you define the organization, you need to configure a unique identifier for it (just under the remote authorization checkbox), for example "test-org". Then, on ACS, you need to would configure the atributes as "ANM_test-org= Role1 Domain1"
Moquery is the command line cousin of Vizore, it's very helpful and efficient sometimes during the troubleshooting. This article aims to provide moquery cheat sheet to the users for some most common seen scenarios.
Here is the checklist before customers/partners contact Cisco TAC:
Firmware Version of APIC and Switch
Download Switch and APIC techsupport logs
Problem description (Symptoms with details)
Business impact (eg, what kind of services...
moquery usageAPIC moquerySwitchmoquery
This document discuss a common issue observed during the VMM integration & VM workload migration to ACI fabric.
VMware Virtual machines are hosted in Cisco UCS-B seri...