I am also searching for this answer, as I find difficult to map Windchill Roles to ThingWorx groups. As all the rest call via Windchill Connector executed by wcadmin/Administrator I am afraid if Mashup should have logic to filter the data based on role/permissions in of logged in user from Windchill
As of now, there is no clear indication/strategy which can be followed I guess. Based on my discussion with PTC folks, their definition of Role based app is company wide roles (PLM,ERP,Quality) and not the Roles withing PLM (here Windchill) system.
Your thoughts ?