It seems that every app will need some kind of authorization system, whether it's based on Roles, or something else. Some ways it's implemented in other frameworks:

• sailsjs: Policies
• firebase: .read/.write
• meteor: allow/deny (and roles via third-party packages).

NOTE: I found an Authorizer object in documentation with #definePermission #permissible #permission functions. But I cannot find any examples of how this object or these methods are supposed to be used.