connect-roles doesn't define any storing mechanisms. it simply injects into the authenticated user you have in session object. Storing the strings equivalent to your roles you test for in connect-roles is up to you. You will normally authenticate the user first (which gives you the user object and his roles) and then do authorize (where connect-roles gets executed). Passport middleware should be used before connect-roles (as per connect-roles documentation)
In my case, I added a roles collection to my user model and took care of retrieving that from my database. You still need to implement the role test function and that's where you reference your User model roles property as you defined it.
Example:
roles.use(function (req, action) {
if (req.isAuthenticated()){
if (req.user.securityRoles.indexOf('admin') >= 0) return true; //admins can access all pages
else return req.user.securityRoles.indexOf(action) >= 0;
}
});
then you protect a route like this:
app.get('/offers', roles.is('offer.read'), offers.index);