This is more workaround rather than answer, but if you download the kubeconfig file from Rancher for the cluster does that give you all the expected access from external kubectl and does it work after removing from Rancher?
Looking into RBAC in Kubernetes is still on my future todo list, so I can’t be of much help other than the workaround suggestion.
Note thread Kubectl command to return a list of all user accounts from Rancher - *security/accounts/users may have some answers for you too.