Authorization

[Jim Cowart]

Inspired by Benjamin's discussion of authentication, I wanted to ask what approaches you all are using related to authorization - i.e., once you've identified that the user is who they say they are...how do you handle verifying they are authorized to access particular resources?  I think the abstractions provided in the .NET world are often woefully inadequate for the most part, as they are usually tightly coupled to the specific implementation.  However, I've done some reading on the concepts behind claims-based auth and I like the ideas overall (though my preference would be to use a general framework that provides claims-based auth and not have to use AD to accomplish it).  Has anyone come across an approach (or existing lib/tool) that you think works well for managing authorization for various client types (desktop web, mobile devices, back-end services, remote 3rd party services, etc.)?