Authorization is concerned with what the caller is allowed to do: typically, which operations the client is allowed to invoke on the service. Authorizing of the caller is done under the assumption that the caller is indeed who the caller claims to be—in other words, authorization is meaningless without authentication. For authorization, the service typically relies on some kind of credentials store, where callers are mapped to logical roles. When authorizing an operation, the operation declares or explicitly demands that only certain roles can access it, and the service needs to look up the caller’s role or roles from the store and verify that the caller is a member of the requested roles. Out of the box, WCF supports two credentials stores: the service can use Windows groups (and accounts) for authorization, or it can use an ASP.NET provider (such as the SQL Server provider) to store user accounts and roles. WCF also supports custom role repositories, but I have found that the easiest option by far for implementing a custom store is to implement a custom ASP.NET provider. This chapter will address the ASP.NET providers at length later.