I have the authentication portion of an ASP.NET 3.5 web application complete. I would like to know more about common authorization patterns.

May I present my current authorization structure:

I have a database with “Module” and “Operation” tables.
Modules represent systems in the application and operations represent actions that one is able to perform within a system.

Customer, Order, Billing would be a defined as a module.
An “operation” is related to a module: Customer.Add, Customer.Delete would be customer operations.

Each user has a role which has access to certain operations, depending on their role.

Please note that page menus are generated based on user’s access, and users will not see modules and operations they do not have access to.

My questions begin with how to implement an authorization scheme here, possibly using an existing pattern or technique.

How and when should I secure the module, and check the authorization of a user to perform an operation on said module?

I have not implemented this yet, but here is one way I thought of:

1. User clicks on an operation: Module: Customers | Operation: Add
2. In the click event I look at the user’s role, I verify that the user can perform the operation, then I fire the operation or direct the user accordingly.

Please pardon the obscure nature of this question. I am not sure what to ask here.

I am looking to see how people handle authorization, and how people allow / disallow access to business methods. I am not sure is declarative security is what I need, or if the simple example I provided above is the way to go.

There are many options for me here and the possibilities seem endless. Please let me know if there are any models or patterns I can look to handle authorization inside of an application.