And the other way around. Such views typically delegate to backend code you can run yourself without invoking the views.
In this specific case, use plone.api.user.grant_roles
: http://docs.plone.org/develop/plone.api/docs/api/user.html. Or, set up a group system and use plone.api.group
to manage access. This will be more performant.