So here is a solution for you, I’m not sure if this is the best way to proceed but I hope it helps you so here it goes:
If you want a simple access control where the user has a single role and you want something less ‘complex’ than an RBAC solution do something like this:
Add a column on your users table for the role;
Create a class to extend AccessRule and override the matchRole() method to perform validation with your new role field, you can check how to do this here:
Basic Access Control Article
You should use this new class on your controller behaviors instead of the default one and define the rules there, the article above explains this to.
If you need more detailed information about the rules check here:
Access control filter
Finally, if you followed that article it should be working fine but in this situation you need to define in every controller the behaviors and rules.
So if you’re sure that the rules are the same to all of the controllers you could just create like a middle class (that extends the Controller class) and put that behaviors there, then extend all of your controllers to that class. This way you get a centralized place to define access rules.