I know I like to keep my initial role as something that doesn't actually provide any IP connectivity at all, because some clients will not deal well with getting a DHCP lease, and then getting shuttled to another role assigned by a Clearpass RADIUS VSA with a different VLAN associated. If you keep clients in the same VLAN the whole time and just your various user roles for ACL assignment, this wouldn't be a problem.
I don't know if it's the best way to do it but my initial role has an "allow-all" ACL associated, but no VLAN, which means it should derive its VLAN from the switching profile in the interface or interface-group configuration. If no switching profile is configured it would fall back to the default switching profile with VLAN 1, which in my case is not something that will provide any IP connectivity to clients.
If the Aruba experts here think this isn't optimal please let me know.