Here are the steps i used to create my local user and assign permissions
1. Create Role and assign new user to role in Embedded SSO
2. Created new Group in GM - Grid Permissions with View Grid Status, Grid Management, Grid Administration and Dev Studio checked
3. Copied AoAdmin group in Repo Manager to new group name
4. Role, Group Name in GM and Group Name in Repo are all written the same way
5. Only BAOLocal configured in Realm
The new user can connect to Respository but can't connect to the Grid (Grid Manager or Studio)
Im getting this in rsso logs on cdp
2017-10-27 11:47:00,536 WARN [http-nio-38080-exec-2] Authenticator:159 -  user failed to login, auth type:IdPLocalUser, order:1
2017-10-27 11:47:00,536 ERROR [http-nio-38080-exec-2] Authenticator:162 -  User failed to login, username:xxxx
Any help would be appreciated
i found the issue.
authentication.xml in cdp was pointing to the wrong port number.