Do Per-Request (Custom) Roles exist for ASP.NET and ActiveDirectory?

My vision includes having globally defined roles which are pushed from AD but also I'd like to be able to add to Context.User.IsInRole("ATransientRoleForThisDocumentOnly") and have that work...

I thought about pushing roles into the Thread.CurrentPrincipal and passing in Context.User.Identity and an array of roles but I was concerned about getting all the ADRoles that you get out of the box, I really just want to add some AdHoc ro开发者_运维问答les that will live for the lifetime of the request.

Does that seem possible? All Role manager methods are static so even if I did custom role manager how would that manager know that for document-id #1 that you're reader... while on document #2 you're read/write?

Inherit from a Security class that allows you to override CreatePermission, for instance CodeAccessSecurityAttribute and return this :

public override IPermission CreatePermission()
{
  return new PrincipalPermission(string.Empty, "MyCustomRole");
}