I'm not really familiar enough with various forms of authorization to speak with any sort of confidence about what the best way to do authorization is, but a person at work was really high on claims based authorization so I thought I'd do some research. I'll add links as I come across ones I like that help describe what claims based authorization is and how to implement it.
http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/
http://cityislander.blogspot.com/2012/07/claim-based-authorization-for-aspnet.html
http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/
http://www.youtube.com/watch?v=ps6Cf9P3xic