I'm using windows authentication in my ASP.net MVC 3 application. I have a few different roles in my system:

Administrator
PowerUser
GeneralUser

We have a rule in place that the AD group names are different in each environment.

For example, in Development the role names will be:

Administrator_Dev
PowerUser_Dev
GeneralUser_Dev

In production it would just be:

Administrator
PowerUser
GeneralUser

Is there a good solution for using Authorize in these different environments without changing the code when I need to deploy to a different environment?

Can't you just implement all of the roles? Unless there's a chance of an Administrator_Dev role being the production site...

[Authorize(Roles = "Administrator_Dev, Administrator")]

The only solution I can think of is the conditional compilation.

Define these constants in a file with conditional compile.

#if DEV
public const string AdministratorGroupName = "Administrator_Dev";
#else
public const string AdministratorGroupName = "Administrator";
#endif

This is one of the problems with declarative authorization using custom attributes that needs to be defined at compile-time.

Another alternative is to have another custom attribute and implement the action filter yourself.

I did by simply creating application specific configuration sections in web.config, putting the name of the environment specific AD group in the application configuration section and then use the configuration property on the Authorize Attribute. I can then change the group name by using custom web.config for each environment. For most applications, you need that anyway to be able to have different connection strings for each environment. With this, you can just use the in-built Authorize Attribute.