Yeah, I saw these but they don't help unfortunately... the SN Pro Tip is where I found out about GlideSecurityManager, while the proposal to invalidate the session is precisely what I'm trying to avoid. 

The crazy thing is, as this example shows, it appears to work in that the roles change but the GlideSystem itself doesn't update