Since you don't have an accepted answer and since I stumbled on this question researching another, I will endeavor to give you some pointers.
As has been pointed out, user management and role-based security in a win forms app is not something that will actually work client-side. In a web analogy, imagine trying to implement all of your security using only javascript and cookies, keeping no information on the server-side. It's insecure by default.
As has also been suggested, you can implement security on your database and have your users connect directly to the database from your win form. I would highly recommend that you do NOT pursue such a course. User management will become a nightmare. You need a middle tier.
What you should do is build a web service that implements role-based security (since you're familiar with it -- there are better authorization options out there) and has a custom authentication store. If you use WCF to build the web service, you can use the same RoleProvider and MembershipProvider classes that you're used to in ASP.NET.
That web service handles all of the business logic of your system and is responsible for connecting to the database. It provides a secure layer of abstraction and reduces the amount of database administration you need to do in order to manage your users. Your win forms app becomes a UI shell, responsible only for handling user interactions and up-front data validation (you should also validate at the middle tier) and nothing else.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
