0👍
There is no way to prevent a user from being able to change the client-side code provided to him. The solution you mentioned is the right approach. Never trust the user with any sensitive data unless verified by your server.
This means that while a user with bad intentions might be able to change his role to "manager" and thereby get access to the dashboard (or even remove the if-statement only rendering the Dashboard conditionally – the code is there), the dashboard he sees cannot contain any sensitive data only supposed to be visible to users with a "manager" role.
The key is not providing the user any data he is not supposed to see in the first place, not obfuscate the data passed in hopes the user won’t notice. You are not protecting against the average user but rather somebody who knows how to code and has the intention of breaking your application. Obfuscated code is a small hurdle and not sufficient to prevent attackers from seeing and understanding the underlying logic.