I looked at authorization manager, and was fairly impressed that MS was offering a nice RBAC framework. I think in most cases, the MMC interface is not sufficient for admin users. I recently read an article on ASP.NET 2 offering a roles based framework with a pre-rolled web based administrative interface. So for now, I am not sure what direction would be best for the web.