JCRAuthorizationModule contains all the logic for extracting roles and groups from a magnolia user and adding related ACLs.
All the methods that handle groups and roles are private and directly work with a content object, in order to make it more flexible it should be modified by separating the logic for retrieving groups and roles from the one that sets the ACLs.
Instead of directly extract roles and set acls it should:

• extract all the roles and groups names
• set acl from the list of roles and group names.

This will make easier to extend it by providing a custom way to collect roles (from an external repo) and to just handle ACLs inside magnolia