I have a class Account that contains Users and Departments. A User can belong to multiple Departments within the same Account. I am wanting the user to only be able to access records within its account. A typical request would look like:
http://localhost/api/department/5
I am using the OAuth/Claims security model that is provided in the SPA template of VS2013. I do not want to have to hit the database every request to see if the calling user is a member of the account and if the User belongs to a department. Is there a way to do this using a custom Authorization attribute and claims, or what is the best way to accomplish this?