how can I provide custom roles when using Windows Authentication?
Let's assume I need to grant rights to all users of group "MyGroup" in ActiveDirectory and the user "Alice" to several objects. I want to create a role "Contributor" (somewhere in my program, because I'm not allowed to maintain the Active directory) with the members "MyGroup" and "Alice" and grant rights to the objects for the role "Contributor" rather than to "MyGroup" and "Alice" explicitly.
I think this approach would be much easier to maintain. Can I do that? If yes, how can I do it? Do I need to create a custom principal?
Been there and done that.
You must create your own custom principal and identity. Load the windows roles (transform SIDs into role/group names for Windows/AD roles) and add additional roles from wherever they are stored.
These blog posts should get you started:
Copyright (c) Marimer LLC