Overriding System.Security.Principal.GenericPrincipal is an easy way to get role-based permission management for declaratively and imperatively permission checks.  But, what performance consequences are there to using GenericPrincipal.IsInRole() and how does it affect design of permissions? 

Here are some performance metrics that I've created from simple experimental development:

GenericPrincipal.IsInRole() has worst-case cost of about 453.00 µs (microseconds, one-millionth of a second).

Context: Pentium 4 1.83GHz, role names with 34 characters in common.

Here is the code used to test (C#):

 String [] roles = new String[1000000];
 for(int i = 0; i < roles.Length; ++i)
 {
  roles[i] = "LongRoleNameHereForTestingPurposes" + i.ToString();
 }
 GenericPrincipal p = new GenericPrincipal(windowsPrincipal.Identity, roles);

 DateTime start = DateTime.Now;
 p.IsInRole("LongRoleNameHereForTestingPurposes" + (roles.Length + 1).ToString());
 TimeSpan span = DateTime.Now - start;

Obviously, regardless of design, minimizing the number of roles assigned at a given time will produce the highest performance solution.  It's clear from these results that GenericPrincipal is quite capable of dealing with many assigned roles without drastically affecting performance.