>Your Manager Identity would have it's own roles plus all of the roles that a Teller has (assuming that the Manager is allowed to perform all of the actions that a Teller may).

Right, I knew that, and in the normal operation of the system, that would be the way it was set up. We will expose the equivelent of "Groups" in our database so the user can assign "Roles" to "Groups" and then a person can be in the "Manger" and "Teller" application "Group" which would be assigned the "Roles".

Actually, in our app we have what we call "Users", "Roles", and "Permissions". Roles aggregate Users, and Permissions can be assigned to Roles or Users. But, the "Permission" would be what .Net calls the "Role".

But, the main 'thrust' of this message was, before we actually got our database of permissions (.Net roles) set up, and since we generate the permission attributes into our business layer classes automatically, I wanted a way to specify that they had either a certain "Role" OR they were User="Administrator". If it is doable no one has told me how yet.

Thanks,
BOb