despite the fact that advanced datapath/inspection based features are not available (e.g. webcc, airgroup etc., see "Behavior and Defaults" in the ArubaOS User Guide), you can still use firewall roles and things like src-nat.
a typical location may look like
[ internet ] --- +[ RG ] ---- [ local lan ] ---- [ AP ]
where RG is some sort of residential gateway, cable modem or dsl modem etc, which provides src-nat functionality to the internet (denoted by +) and DHCP to the local lan.
In this model, the AP will get an IP from the RG and in bridge mode the clients will also get their IP from the RG and be subject to a role and its firewall rules.
If you want to allow local-lan based services to be able to initiate connectivity back into clients on the AP, you need to open up the ACL known as "ap-uplink-acl" which you can see applied on the AP system profile (of the ap-group)
You have the option to also src-nat at the AP interface to the local-lan, likely however in the case of a single AP per site that is not needed.