Security in ASP.NET MVC with message and config file

I'd like avoid access to some action depending of the role I have (IsInRole), how can I do this (code below correect ?) Is it possible to define in a config file the role list who allow access to this action ? In my exemple, define "GROUP1" and "GROUP3" in a c开发者_如何学Goonfig file

[Authorize(Roles="GROUP1,GROUP3")]
public ActionResult MyAction(int id)
{

    return View(myView);
}

Thanks,

---

The values used in attribute initialization must be known in compile time.

This means that you can't fetch them from configuration.

---

Using the location and authorization web.config settings is strongly discouraged since it will open up security holes in your MVC application:

http://forums.asp.net/t/1583850.aspx/1/10

You'll probably need a custom attribute that you can use to look up the authorization rules. You can look at an example here:

http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx