This has to be done on several levels:
1. You can use the authentication system you already have in place to identify the current user.
2. Let's simplify the authorization rules (ACL) to general "roles" (this is supported but the MVC membership system; I'm not sure if it goes deeper, i.e. rules applied to specific objects).
3. In the controller that handles the calendar backend, you need to check the permissions to read and write to the calendars. In the simplified model, the users can always access her own events (where event owner = logged user) and the users in the administrator role can access any event.
4. You need to do the same for the calendar views (but remember that this is not enough, you always need to do #3 because it's not safe to only disable it in the UI). Display the events only to their owners. Display all events if the user is in the administrator role. Depending on the view type, this will mean a limited SELECT when reading the events or resources (for the Scheduler).
By default, all the controls have the editing handlers disabled (e.g. EventMoveHandling = Disabled) so only enable them when the user has the permissions.