Best practice for authorization in the business layer?

What is the best way (for a .Net 4 project) to implement authorization in the business layer. Simply I want to check whether a certain identity can access a certain action/resource.

I've tried to look this up in Patterns & Practices, b开发者_StackOverflow社区ut haven't found anything useful yet.

And what about PrincipalPermission of ASP.Net 2.0? Is this still relevant? What about maintenance?

I want to use an elegant solution, preferably (re)using asp.net role management.

Thanks!

When you simply want to prevent any code from being called in the situation that the user (for whom the code is running) and throwing an exception is a fine resolution, in that scenario PrinicipalPermissionAttribute works great and is still relevant.

As far as I can see, if the application needs role based security at runtime the Attribute can only be used as a backstop in case of some coding error. CSLA.net has security in the business layer where you can have any number of custom rules so long as their implementation returns a boolean.