You can clone with
HTTPS or Subversion.
Add a permissions model to modules, to enable exposure of permission groups.
Modify module router to enable a route to be linked to permissions.
Create an admin UI to enable mapping between user roles and permissions (e.g. tick).
Create install script that defaults all of the above.