The .NET Framework provides a generic role-based security mechanism to represent the identity and roles of the user on whose behalf code is running. As illustrated in Figure 5-1, you can use .NET's role-based security mechanism to integrate with an existing user account system, such as that provided by Windows or Microsoft's Passport .NET authentication mechanism. However, it is just as easy to integrate with other custom user account mechanisms.
Regardless of the underlying source of user information, .NET's role-based security interfaces provide a standard mechanism through which you can make runtime security decisions based on the identity and roles of a user. For example, you can make decisions, such as:
Ensure that only users who are members of the "Administrators" or "Managers" roles can execute a protected class member
Ensure that only the user "Peter" can load a class that inherits from a protected class
.NET's abstraction of the role-based security interfaces from the underlying authentication and authorization mechanisms make it relatively easy to change from one mechanism to another should the need arise. We provide a detailed coverage of .NET's role-based security mechanisms in Chapter 10.