How to specify Roles at runtime?

As I understand it, the standard method of specifying which roles a particular method is secured by is using the Authorize attribute. However, that obviously means this is hard coded at design time and cannot be changed after deployment.

We have a need to allow clients to dynamically specify what roles (if any) are required to access a particular method at runtime. So for example, today they may specify that Method1 is secured by the Admin role. But tomorrow they may want to open it up to the Manager role as well.

Is there anyway to assign roles at runtime by reading from something such as a cache or database?

If you need to validate dynamic roles at runtime, you can’t use static metadata attributes, you’ll need to validate them inside your Service implementation, here’s an example from AssignRolesService: