Lullaby 1.0 RC3 introduced role-based authentication. Using role-based authentication, you can further restrict access to a REST service or REST method by a role using the AllowedRoles property of the RequireAuthentication attribute.

[RequireAuthentication(AllowedRoles = "User,Admin")]

If using an authentication provider, Lullaby will check against the roles returned from the provider. If using forms authentication, it will invoke IsUserInRole.