WCF message authorization

I'm building a WCF service where I need to add some kind of security that so that users can't pull back information that doesn't belong to them. I'm talking about something similar to this question here

The service has calls like

Order GetSalesOrder(id)

and I need to make sure a user can't pull back an order that doesn't belong to him/her. I know I could do as the quoted link does and just have an explicit CheckPermission call that goes to the database and checks. But, then I get a bunch of permission checking code everywhere. I know I could just pass user id to the GetSalesOrder function, but this would require changing every service call. This option doesn't work so well since there are scenarios where certain users can access all orders (not based on user role, based on whether or not the user is internal or external). I've also read about ServiceAuthorizationManager, but that seems to be more for clai开发者_开发技巧ms based stuff. Are there any other options? In summary, these are the options I can think of:

1. Explicit permissions check in call service calls
2. ServiceAuthorizationManager
3. Some kind of custom attribute and message inspector