Please refer to this article, Assigning the System User through Script which can be tailored for non-system users. Currently there is no alternative out-of-the-box feature to set the permissions on newly created users via service (except for the snippets available to use in a custom server).
Having gone through securing an application recently myself, I can understand the desire for features like these.
At this juncture the best way is to add security as you are building vs. finishing an application and layer security afterwards.
Since you should know the different 'type' of users ahead of time, you can create Application Security User Groups that have certain permissions that you can then stack for the actual 'Application Role User Groups'
AppDefaultPermissions User Group that can execute all necessary services to get around in the application and see default information.
Has the necessary property read
AppEditPermissions User Group that can perhaps do value edits or something like that
AppManagerPermissions User Group that can create new users etc.
then you create at the end groups like
and you add these to the groups above (note that the permissions stack)