Sorry for topic resurrection, just my two cents. Roles is a common - and hard - topic in all enterprise applications. If you check Nexus for example, there are thousands of roles, because they need fine tuning of resource access. Roles (when used as ACL) may be used as per-resource access, hence the large number.
Actually, right now, I'm trying to figure out how to serve static resources with an ACL and boy, it is hard. I think I will simply cut-and-paste Ktor source code as most of the stuff is private and there is no extension mechanism (AFAIK).
Please note, that authentication and authorisation are two very different topics. Ktor provides good features for authentication but nothing for authorisation. We ended up writing our own role/permission system, and put the actual Ktor routing behind a common logic that provides proper authorisation services.