https://www.codeproject.com/Articles/875547/Custom-Roles-Based-Access-Control-RBAC-in-ASP-NET
Introduction
In this post, I shall cover implementing custom Roles Based Access Control (RBAC) and subsequent roles maintenance in the context of an intranet based ASP.NET MVC web application using Windows Authentication.
ASP.NET Roles and Membership provides almost all features required to perform authentication and authorisation but adding a new role and assigning it to a particular user seems to have been lost.
This solution forms a self-contained framework independent of default out of the box providers.
The framework allows us to focus on which features/areas in our application are restricted to the user, including menus, and what information to make visible/invisible to the user without concerning ourselves with the underlying technicalities.
The framework offers RBAC functionality inside the controller action and controller view at a granular level whilst using minimum code syntax and the framework can be extended to incorporate custom RBAC methods.
It is especially suited for corporate intranet applications where there is restricted access to the hosting web server once your web application has been deployed or the administration of user roles including role assignment cannot be directly undertaken by the application’s system administrator or owner.