The application I am currently working on uses the Authorize decoration in conjunction with the membership and role providers (both custom) to manage access to pages within my MVC site e.g.

[Authorize(Users="MyUsername")]
public ActionResult Banking()
{
   return View();
}

[Authorize(Roles="SysAdmin, BusinessOwner")]
public ActionResult Banking()
{
   return View();
}

I find this is extremely flexible as you can have public (no decoration) any logged in user [Authorize] or roles & users. Personally I would never build an app that authorized on Users – Roles is a much more extensible option (even if it does only contain one user at the moment) there are two main reasons I wouldn’t do this – Users becomes unwieldy in a big app and secondly adding a user to the decoration requires a recompile/redeploy of the app whereas associating a user to a role in most situation is typically a database association that the app’s business logic handles at runtime.

In your web.config you set up something similar to this to use the custom providers:

 <system.web>
<membership defaultProvider="MyMembership" userIsOnlineTimeWindow="30">
  <providers>
    <clear/>
    <add name="MyMembership" type="MyDAL.MyMembership, MyDAL"/>
  </providers>
</membership>
<roleManager defaultProvider="MyRole" enabled="true" cacheRolesInCookie="true">
  <providers>
    <clear/>
    <add name="MyRole" type="MyDAL.MyRole, MyDAL" />
  </providers>
</roleManager>

Then you create classes that inherit the providers:

using System.Web.Security;

namespace MyDAL
{
    class MyMembership : MembershipProvider//[ctrl + .] to create stubs
    {
        //Use Visual Studio to generate all the MembershipProvider stubs [ctrl + .]
    }
}

You will end up with a bunch of methods with throw new NotImplementedException() – there are heaps of these but it is not necessary to fill them all out – just complete the ones that are relevant to your application and leave the rest as is.