According to the user name token specification, It only talks about the authentication. The user/password that is sent in the User name token is validated. It does not talk about access control (RBAC). Therefore you can not define the roles, in the policy. You can only use this policy to verify the authentication...
As you have talked about WSO2 ESB, In ESB they have provided some modifications to support the access control in to user name token policy.. The place that they have extended is the password call back handler. In the WSO2 custom password handler, It checks both authentication and access control.. You can find the source of WSO2 password handler from here. I guess, you can secure the proxy services using the management console that ESB has provided.. In this management console, you can configure user name token security policy and can defined allowed roles.. These roles are not saved in the policy, rather than some database in WSO2 ESB has.