Security in ASP.NET MVC with message and config file

I'd like avoid access to some action depending of the role I have (IsInRole), how can I do this (code below correect ?) Is it possible to define in a config file the role list who allow access to this action ? In my exemple, define "GROUP1" and "GROUP3" in a c开发者_如何学Goonfig file

[Authorize(Roles="GROUP1,GROUP3")]
public ActionResult MyAction(int id)
{

    return View(myView);
}

Thanks,

The values used in attribute initialization must be known in compile time.

This means that you can't fetch them from configuration.

Using the location and authorization web.config settings is strongly discouraged since it will open up security holes in your MVC application:

http://forums.asp.net/t/1583850.aspx/1/10

You'll probably need a custom attribute that you can use to look up the authorization rules. You can look at an example here:

http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx