Have you checked this post? http://www.dotnetnuke.com/Resources/Blogs/EntryId/3329/Authorization-in-the-new-DNN-Services-Framework.aspx
I found this useful (as well as another answer you referred to) ... but it took me a long time to figure it out! Here is what I have guessed so far: If you use a web browser, DNN can accept your request and evaluate permissions (based on your username). A linked blog post demonstrates this with an API that displays tabs - it only displays tabs that your entry has permission to view. If you write an HTTP request from another place (for example, in a PHP script), you can see the same behavior if you send a username / password with the request.
You can use the DnnAuthorize attribute, but using role names directly can be problematic for the reasons you mentioned - what if they change? However, you can write your own attribute. Basically, this will require (in some way, form or form) TabID and ModuleID. Thus, instead of checking the role name, you can DNN check what permissions the current user has for this module.
You can write a module for it, assign role-based permissions for your module, and DNN just check this tab / module for a given input. Writing your own attribute will make assigning permissions to your controller easier ... without directly specifying roles.
I believe the link refers to DNN 6.2, so there may be some differences with 7.