The only thing the underlying API allows sending is the identity (user).
The Access Roles must still be defined on the Check Point side and verified e.g. with Active Directory.
That is mentioned in the documentation you provided in a few places, but this first one comes from page 10:
When using the CheckPoint Identity Awareness feature (RESTful API or RADIUS Accounting) the userID that is received by the firewall typically has to be verifiable as a valid user. CheckPoint will ensure the user exists within an authoritative Identity Store, like Active Directory.