My vision includes having globally defined roles which are pushed from AD but also I'd like to be able to add to Context.User.IsInRole("ATransientRoleForThisDocumentOnly") and have that work...
I thought about pushing roles into the Thread.CurrentPrincipal and passing in Context.User.Identity and an array of roles but I was concerned about getting all the ADRoles that you get out of the box, I really just want to add some AdHoc roles that will live for the lifetime of the request.
Does that seem possible? All Role manager methods are static so even if I did custom role manager how would that manager know that for document-id #1 that you're reader... while on document #2 you're read/write?