I've implemented simple REST API based on Flask Eve framework.

Now I want to add some custom ACL based on user's roles. I've investigated this question a little and found interesting solution called Flask-ACL: https://mikeboers.github.io/Flask-ACL

But there are a few questions I want you to ask:

1. Do somebody know any documentation how to use Flask-ACL + Eve frameworks, because it's not clear enough for me..
2. What is the best way to map list of roles to list of permissions?

Can't help with Flask-ACL (I don't know it) but, have you looked into Eve's own Role Based Access Control yet? It basically allows you total control on what an authenticated user can do.