在我的一些生产MVC应用程序，我只是使用内置的SQL角色提供。它的工作原理开箱，你的模版MVC3将配置已经使用它。简单地从Visual Studio中打开管理工具和管理安全和您的角色，用户，用户添加到角色等，并完蛋了。不要用你的web.config管理哪些角色可以访问哪些URI的，这已被推荐遍地从MVC远离为多个URI可能得到一个单一的路线，让你使用（像你一样）的授权属性在用自动角色管理相结合，并且那是你所需要的。这是pretty简单。

In some of my production MVC apps, I simply use the built in sql role provider. It works out of the box, your MVC3 templates will be configured to use it already. Simply open up the admin site from within Visual Studio and manage the security and add your roles, users, users to roles, etc and thats it. Do not use your web.config to manage what roles have access to what URIs, this has been recommended over and over to stay away from in MVC as more than one uri could potentially get to a single route, so you use (as you did) the Authorize attribute in conjunction with the automatic role management, and thats all you need. It's pretty simple.