method level authorization using roles defined in database in concert with CAS

From: hazz (hazz_at_sonic.net)
Date: 07/12/04 

Date: Mon, 12 Jul 2004 11:39:49 -0600

I am stuck trying to implement method level authorization within an assembly.

I wanted to use Declarative Security but I think this is an inappropriate use of this technique. I want the role below to be obtained dynamically at runtime as derived from a SQL Server table where the user roles can be administered remotely via a separate admin module. (asp.net or a web service client)
If I hard-code the role as follows, then I have to recompile the application and deliver new binaries everytime a change in roles is required;
[PrincipalPermission(SecurityAction.Demand, Role="Trusted")]

private void FindRestaurant() // if the role pulled off the app thread is "Trusted", then proceed with the execution of this method.

I have already taken care of the authentication by going against the database with a password comparison. If there is a match, then a generic principle is created and the user's identity and associated role are set in the Thread and available for use as long as the app is running. That part is flexible, it can change everytime the app starts up.

What isn't flexible is the method level gatekeeper contained within the assembly that has been created with these static declarations.

How do I achieve this functional requirement?

Appreciatively,

-greg