In a web application using Entity Framework 4.1 we use SQL Server Membership to manage user access. However we need to implement a more granular set of roles a permission management.

In the database we have already created the relative tables:

- Roles 
- Permissions 
- UserInRole (roles per user)
- RolesPermissions (permissions associated to a role) 

Using attributes on some of the core entities we restrict the access semantically with EF, as example, given a specific user, s/he can see only the relative shipped orders or inherent data.

Now we would like to inject the permissions in it, meaning as example that a customer can see and create orders, while a company (these are two different roles) could only see orders for their products and also print reports.

The idea would be to use attributes also for permissions at entity level and check if the current user owns proper rights when a method is invoked. For instance:

public void BeforeAdd()
{
   // Get required permissions for the specific entity (Order as example)

   //Check that current user has permission of creating a new Order 
}

Such a method would be called by each entity, allowing to centralize the control over permissions at entity level.

We use MVC as frontend and in there we have already implemented roles and permissions access. We need to make the same with the backend part (containing data layer). These are two separate servers communicating via web services. By implementing permission management on the back end part would strengthen the control over data access.

Is there any pattern or best practice that we could follow (eventually using some built in features of EF) to achieve permissions management?