You don't necessarily have to create a custom membership provider, but you are going to have to think about permissions differently.
To start, replace the word "Role" with "Operation" in your head.
You need to create atomic, fine grained permissions in your application such as:
- UserPropertiesView
- UserPropertiesModify
- CreateUser
- DeleteUser
- RolesView
- RolesModify
- CreateRole
- DeleteRole
It might be difficult at first, but this gives you great control and flexibility over assigning operations to individual users. Since different pages will have different operations, you will be able to customize their access.
Unfortunately, the out of the box ASP.Net membership and role providers all work off the concept of a course grained Role. So long as you know they are Operations, and not roles, you will be good.
Abstractions are your friend here:
public static class Permissions
{
public static bool Operation(string op)
{
//this class can be a lot better
// it can be testable, and check
// error conditions, but this is
// only an example :)
return HttpContext.Current.User.IsInRole(op);
}
}
Somewhere you will want to group all these operations up into Roles, but that will require some custom programming on your part.
Custom Providers really aren't that scary, and you can extend the built in ones easily.