I talked about the resource sharing in the other thread - Organizing Serverless Projects.
But for the IAM roles, it really depends on the level at which you want to control this. You can use Cognito User Groups. Or you can manage these internally in your code if you have some slightly complicated business logic to resolve permissions.