Custom claims

On the backend you can use custom claims to group user's permissions

What I'd recommend is to separate the auth from the access by using Custom Claims. Allow any one to create a user, but attach a Cloud Function to the user create event. If the user matches one on the white list, set a custom user claim (this just launched recently!)

Finally, in your rules, check for that use property before giving access to the data:

{
"rules": {
"adminContent": {
".read": "auth.token.admin === true",
".write": "auth.token.admin === true",
}
}
}

from Firebase Authentication with whitelisted email addresses