I’ve seen no other way of doing it. Inside your filter you can make the rules you want. What we do is use the users’ claims to Active Directory groups and check if they’re a member of the correct group. We just decorate the controller that gets called with it but it could be more granular.