While authentication is global for an endpoint (and there is a 1:1 relationship between endpoint and container), cache authorization is per-cache. Therefore you can map a dedicated role to each cache and assign that role only to the users which require access to that cache. You could also decide to perform authentication using client SSL certificates and use the certificate's principal (the DN) as a role.
Could you please give me a more insight about how to create roles and assign them to the existing users (as I know I can create management users from add-user.bat).
Also, how clients can provide that information about role while communicating with the server??