Cancancan lets you only define permissions for given context. This context might be a user role which is not a part of cancancan and hence roles have to be defined by yourself.

There are various ways to define user role, e.g.

• as a Role model,
• Rails enum,
• as suggested here,
• as a string attribute of User model.

It all depends of the use case. An example of how to define abilities can be found here. In your case, it would look like:

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new

    if user.reviewer? #Just a logged user
      can :manage, Comment, { owner_id: user.id }
    elsif user.admin?
      can :manage, :all
    end
  end
end

class User < ActiveRecord::Base
  enum role: [ :reviewer, :admin ]
end

If you are going to use Roles, consider the Canard gem (https://github.com/james2m/canard) which combines CanCanCan with RoleModel (https://github.com/martinrehfeld/role_model). This gives you a well organized way of stipulating roles and their abilities

For example, if you have a user model, you would set the roles as follows:

class User < ActiveRecord::Base
  acts_as_user roles: [:supervisor, :manager, :writer]
end

Then you can create Ability files for each role, including a base User (not assigned any roles) and Guest (not logged in)

Canard::Abilities.for(:user) do
  can  :manage, User, id: user.id
  cannot  [:destroy], User
end

The above will allow a user to update their own information but will not allow them to delete themselves. They also will not have access to any other user record.

You can refer following rails cast http://railscasts.com/episodes/192-authorization-with-cancan