Can an MVC 3 app implement dynamic role based AD security?

I am creating an MVC 3 app and I'm trying to work in Active Directory based security. My application is a portal that manages server clusters for each stage of my team's software development lifecycle in a cloud environment. Users will be able to create new servers, delete existing servers and reboot clusters for their respective environments using this interface.

At a high level, I have a list of development stages stored in a database, and then a list of servers that are attached to that stage. For example, our lifecycle is currently DEV->TEST->PROD, so when a user visits the main page of my app, they see three tabs, one for each stage. Clicking on that tab loads a list of all servers that are attached to that stage. These stages are dynamic and admin need to be able to add or delete them from the database at any given time. This will be rare, but we may implement an Integration stage at some point in the future and my UI/Security has to be able to handle that scenario.

In addition to handling multiple stages, each stage needs the ability to handle multiple applications. For example, my team currently only manages one development team, but we may onboard another relatively soon. In this case, I'll need to create servers for them at the DEV, TEST and PROD level which will be separate from our existing applications.

After capturing all of these requirements, I'm not entirely sure how to implement the security controls in my app. 开发者_运维知识库We currently use AD groups to manage server permissions, so I'd like to be able to use those same groups to manage my application permissions. The thought process is that if someone has read access to a server, then they'll also have read access to my portal. If they have sudo access, then they'll have full read/update/delete in my portal.

How can I design my views/controllers in such a way that I use AD for authentication and AD groups for roles, but still keep my application security dynamic so that I can attach and detach AD groups using a web admin page to control which AD groups have access to certain pages without having to rebuild my app?

(MVC 3, .NET 4, IIS 7, Active Directory, Linux+Windows)