What about storing the AppSettings key in the constant and fetch its value in the IsAuthorized
method:
public class AuthorizeDesignatedRoles : AuthorizeAttribute
{
public const string DELETE = "GroupAuthorizedForDeleteAction";
public string DesignatedRoles { get; set; }
protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext) {
{
// ...
string[] roles = DesignatedRoles.Split(';')
.Select(s => ConfigurationManager.AppSettings[s].ToString())
.ToArray();
foreach (string role in roles)
{
// ...
}
}
}